Support for SAML authentication to get temporary credentials

[rebtelmiguel]

In my company we use GSuite as main Identity provider, having SAML integration to our AWS accounts, but this is limited to access to the console.

Currently we use temporary credentials for console login and CLI even for CodeCommit, which we retrieve using a 3rd party library (python and GO libs, such as saml2aws and samlapi) to execute the auth and retrieve of the keys stored in ~/.aws/credentials

Another issue (3447) already requests this type of auth but for AWS SSO only. Maybe it could be implemented something more broad.

Please use as reference this session from Quint Van Deman in AWS re:Invent 2018, where he uses this type of approach. https://youtu.be/vbjFjMNVEpc?t=1238

A known issue with the libraries I mentioned (samlapi and saml2aws) is that they parse the HTML of the response. Initially they didn’t support Captcha (in case Google would trigger), and now they have problems with Google Titan Keys.

Also for reference, the Snowflake authentication through CLI can use an external browser pointing to the IDP. With that approach, any kind of MFA or extra security handling will be covered by them.

[jamesls]

I'd recommend checking out awsprocesscreds (https://github.com/awslabs/awsprocesscreds) which is what we recommend for working with SAML.

You touched on some of the issues here. For many IdPs, the best option if you have is parsing the HTML of a response. Additionally, each IdP has a different way of retrieving the SAML assertion. Rather than keep the logic baked in the AWS CLI directly, we allow IdPs to write their SAML assertion retrieval logic in a separate process that can integrate with the CLI. The repo I linked above has support for okta and ADFS, but you can also extend that as needed.

The other issue that's shown in Quint's reinvent talk is that if you just use ~/.aws/credentials, it has no concept of automatically refreshing for you. You have to rerun that script when your credentials expire. With the process provider, the CLI/SDK will automatically invoke your process when your credentials are close to expiring.

Let me know if you have any other questions.

[lorengordon]

Hi @jamesls, since you mentioned awsprocesscreds, any chance the PRs on that project could get some attention? In particular, awslabs/awsprocesscreds#14. We're dying to get MFA support into the utility. Thanks!

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.