At our company, all employees have G Suite accounts, and when accessing the AWS Management Console, Google is used as an Identity Provider for SAML authentication and single sign-on [^ sso]. In this case, STS's Assume Role mechanism [^ assert_role] is used to obtain temporary authentication information and access the management console as a federation user. You don't have to create an IAM user for each employee to access the management console, which saves you the trouble of managing your account.
[^ sso]: Single sign-on to AWS using G Suite account | AWS Startup Blog [^ assume_role]: Thorough understanding of IAM role ~ Identity of AssumeRole | Developers \ .IO
However, the only problem with introducing single sign-on is the access key. You can't issue a (persistent) access key because there are no IAM users in the first place. There are many cases where you need an access key, such as when you want to transfer files on your local device to S3 using the AWS CLI, or when you want to access AWS resources using boto3 from Jupyter Notebook. [^ access_key]
[^ access_key]: There is a story that saving an access key with strong authority on a local terminal is only a security risk in the first place.
Therefore, this time, I will summarize how to use boto3 with temporary authentication information by SAML authentication.
As for the contents, the official document [^ awscli] describes how to use the AWS CLI for SAML authentication, so I just replaced it with Python (boto3).
[^ awscli]: Use AWS CLI to call and save SAML credentials [https://aws.amazon.com/jp/premiumsupport/knowledge-center/aws-cli-call-store-saml] -credentials /)
The Role ARN is the ARN of the Role used by the Assume Role, and the IdP ARN is the ARN of the Identity Provider for SAML authentication.
role_arn = 'arn:aws:iam::123456789012:role/GSuiteMember'
idp_arn = 'arn:aws:iam::123456789012:saml-provider/Google'
How to View SAML Response in Browser for Troubleshooting -AWS Identity and Access Management](https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html )
By performing SAML authentication on the browser according to this, the character string SAML Resnponse can be obtained.
saml_response = '...Very long string...'
SAML Response is Base64 encoded and is a very long string, so be careful when copying.
With the information so far, you can get a temporary access key using the API [^ assume_role_with_saml] called AssumeRoleWithSAML. This operation must be done within 5 minutes of SAML authentication.
sts = boto3.client('sts')
response = sts.assume_role_with_saml(RoleArn=role_arn, PrincipalArn=idp_arn, SAMLAssertion=saml_response)
credentials = response['Credentials']
You can then use your access key to access your AWS resources as you normally would.
session = boto3.session.Session(
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
region_name='ap-northeast-1',
)
#Get a list of EC2 instances
ec2 = session.client('ec2')
ec2.describe_instances()
Recommended Posts