Use boto3 with temporary credentials with SAML authentication

At our company, all employees have G Suite accounts, and when accessing the AWS Management Console, Google is used as an Identity Provider for SAML authentication and single sign-on [^ sso]. In this case, STS's Assume Role mechanism [^ assert_role] is used to obtain temporary authentication information and access the management console as a federation user. You don't have to create an IAM user for each employee to access the management console, which saves you the trouble of managing your account.

[^ sso]: Single sign-on to AWS using G Suite account | AWS Startup Blog [^ assume_role]: Thorough understanding of IAM role ~ Identity of AssumeRole | Developers \ .IO

However, the only problem with introducing single sign-on is the access key. You can't issue a (persistent) access key because there are no IAM users in the first place. There are many cases where you need an access key, such as when you want to transfer files on your local device to S3 using the AWS CLI, or when you want to access AWS resources using boto3 from Jupyter Notebook. [^ access_key]

[^ access_key]: There is a story that saving an access key with strong authority on a local terminal is only a security risk in the first place.

Therefore, this time, I will summarize how to use boto3 with temporary authentication information by SAML authentication.

As for the contents, the official document [^ awscli] describes how to use the AWS CLI for SAML authentication, so I just replaced it with Python (boto3).

[^ awscli]: Use AWS CLI to call and save SAML credentials [https://aws.amazon.com/jp/premiumsupport/knowledge-center/aws-cli-call-store-saml] -credentials /)

Prepare Role ARN and IdP ARN

The Role ARN is the ARN of the Role used by the Assume Role, and the IdP ARN is the ARN of the Identity Provider for SAML authentication.

role_arn = 'arn:aws:iam::123456789012:role/GSuiteMember'
idp_arn = 'arn:aws:iam::123456789012:saml-provider/Google'

Get SAML Response

How to View SAML Response in Browser for Troubleshooting -AWS Identity and Access Management](https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html )

By performing SAML authentication on the browser according to this, the character string SAML Resnponse can be obtained.

saml_response = '...Very long string...'

SAML Response is Base64 encoded and is a very long string, so be careful when copying.

Get access key

With the information so far, you can get a temporary access key using the API [^ assume_role_with_saml] called AssumeRoleWithSAML. This operation must be done within 5 minutes of SAML authentication.

sts = boto3.client('sts')
response = sts.assume_role_with_saml(RoleArn=role_arn, PrincipalArn=idp_arn, SAMLAssertion=saml_response)
credentials = response['Credentials']

Use the access key

You can then use your access key to access your AWS resources as you normally would.

session = boto3.session.Session(
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken'],
    region_name='ap-northeast-1',
)

#Get a list of EC2 instances
ec2 = session.client('ec2')
ec2.describe_instances()

Recommended Posts

Use boto3 with temporary credentials with SAML authentication
[Python] Use Basic/Digest authentication with Flask
Use boto3 to mess with S3
I want to use Temporary Directory with Python2
use something other than the default profile with boto3
Use mecab-ipadic-neologd with igo-python
Use RTX 3090 with PyTorch
Use ansible with cygwin
Use pipdeptree with virtualenv
[Python] Use JSON with Python
Use Mock with pytest
Use indicator with pd.merge
Use Gentelella with django
Tested with boto3 + mock
Use mecab with Python3
Use tensorboard with Chainer
Use DynamoDB with Python
Use pip with MSYS2
Use Python 3.8 with Anaconda
Use pyright with Spacemacs
Use python with docker
Region specification with boto
Use TypeScript with django-compressor
Use LESS with Django
S3 uploader with boto
Use MySQL with Django
Use Enums with SQLAlchemy
Use tensorboard with NNabla
Use GPS with Edison
Use nim with Jupyter
Use ssh with private key public key authentication. Connect from wan.