search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.09k stars 564 forks source link

Switching accounts without logging in again #438

Open tolidano opened 4 years ago

tolidano commented 4 years ago

We use Okta + Duo with a master IAM account provisioning roles in many sub-accounts. I have a single configuration in .saml2aws to authenticate to the main app with no role specified.

When I login:

✔ ~ 
09:00 $ saml2aws login --profile default --skip-prompt
Using IDP Account default to access Okta https://<OKTA>/home/amazon_aws/<APP_ID>/272
Authenticating as <MYSELF> ...
? Select a DUO MFA Option Duo Push
Pushed a login request to your device...
Success. Logging you in...
? Please choose the role  [Use arrows to move, type to filter]
> Account: A (1) / sre
  Account: B (2) / sre
  Account: C (3) / sre

When I pick one, say, A, it logs me in and puts the credentials into the [default] profile in ~/.aws/credentials as expected.

Now, if at some point, I need to be in another account, say, B, I attempt to run this: saml2aws login --skip-prompt --role=arn:aws:iam::2:role/sre But it says "credentials are not expired skipping"

The only way to switch account is to write "--force" which then puts me through Duo again.

Ideally, I'd be able to switch around between accounts A, B, and C without Duo again - it's already been authenticated once.

How do I accomplish this?

tolidano commented 4 years ago

As a clarification, I see that I do not need to write "--force" but I do still need to Duo whenever switching role (the first time).

xiaket commented 4 years ago

Please correct me if I'm wrong, but I think this is a missing feature in saml2aws.

I was using saml2aws and then switched to gimme-aws-creds, with that tool, we could somehow save all the roles locally, essentially allowing us to do a second assume-role call when the creds is not expired.

wendtek commented 4 years ago

It definitely seems that IdP session credential saving is a missing feature. I would love to see it implemented to only need to do login and MFA once, but get multiple role session credentials.

As it works now, if I'm using Okta with PUSH as my MFA option, most saml2aws commands actually seem to require authenticating via MFA twice.

BEllis commented 2 years ago

I use this and don't have any problems switching between profiles/roles/accounts,

# Add single saml account (defaults to dev profile)
saml2aws configure -a saml --quiet --profile=dev --idp-provider Okta --username username --mfa PUSH -r us-east-1  \
   --cache-saml --skip-prompt --url https://idp/auth/saml

# Add AWS profiles
function setupAwsProfile() {
    PROFILE=$1
    IDP_ACCOUNT=$2
    REGION=$3
    OUTPUT=$4
    ROLE_ARN=$5
    aws configure --profile $PROFILE set region $REGION
    aws configure --profile $PROFILE set output $OUTPUT
    aws configure --profile $PROFILE set credential_process "saml2aws login -a $IDP_ACCOUNT --skip-prompt --quiet --credential-process --role $ROLE_ARN --profile $PROFILE"
}

setupAwsProfile dev saml us-east-1 json ARN_ROLE_1
setupAwsProfile stage saml us-east-1 json ARN_FOR_ROLE_2
setupAwsProfile prod saml us-east-1 json AWS_FOR_ROLE_3

Then to use aws you just change profile,

aws --profile dev eks list-clusters
or
AWS_PROFILE=stage
aws eks list-clusters