search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.04k stars 556 forks source link

Support AWS SSO (AWS Identity Centre) IdP #1196

Open ecole-startupcraft opened 6 months ago

ecole-startupcraft commented 6 months ago

We are currently using saml2aws with Browser provider to achieve this - would be nice to have proper integration

TonioGela commented 1 month ago

Can you share the setup you have with the browser?

egorksv commented 1 month ago

Can you share the setup you have with the browser?

[default]
name                    = default
app_id                  = 
url                     = `https://OURSTARTURL.awsapps.com/start/#/saml/default/SAML_APP/ins-CODE`
username                = DEV_NAME
provider                = Browser
mfa                     = Auto
mfa_ip_address          = 
skip_verify             = false
timeout                 = 0
aws_urn                 = urn:amazon:webservices
aws_session_duration    = 3600
aws_profile             = AWS_SSO_PROFILE #(from ~/.aws/config)
resource_id             = 
subdomain               = 
role_arn                = 
region                  = 
http_attempts_count     = 
http_retry_delay        = 
credentials_file        = 
saml_cache              = false
saml_cache_file         = 
target_url              = 
disable_remember_device = false
disable_sessions        = false
download_browser_driver = false
headless                = false
prompter                =

Saml2aws starts browser session (chromium on mac) which is used to login to aws sso first, and then proceeds to switch to SAML.

Customer's account is set up as SAML application in AWS SSO (NOT a part of the organisation).

Frankly, after reviewing this, we dropped it in favour of cross-account trust relationship and sts-assume-role instead.