search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.05k stars 557 forks source link

Documentation on using the keychain / linux keyring? #666

Open pwillis-els opened 3 years ago

pwillis-els commented 3 years ago

Any docs on how to use the keychain on a server instance that doesn't have a GUI keychain installed? I'm really out of touch, because I did a bunch of googling, and still have absolutely no clue how to use the keychain function of saml2aws in a regular stripped-down text-only Linux server. I don't write Go, so looking into the Linux documentation on keyring, and the Go modules, have provided very little context of how to actually set up and use the keychain/keyring.

Thank you

sledigabel commented 3 years ago

The linux keyring implementation is here: https://github.com/Versent/saml2aws/blob/master/helper/linuxkeyring/linuxkeyring.go

It seems to be using three keyring backends:

        AllowedBackends: []keyring.BackendType{
            keyring.KWalletBackend,
            keyring.SecretServiceBackend,
            keyring.PassBackend,
        },

Given you're not running a desktop, I suspect you'll fall into the Pass backend: https://www.passwordstore.org/ I haven't looked deeply into it, but I think it's storing your keys into a file called .password-store.

pwillis-els commented 3 years ago

I was able to solve this for pass. I still don't know how the other keychains work...

In addition, I got the credential_process feature to work, which enables AWS CLI to automatically refresh my credentials (using non-interactive MFA) so I'm adding all of it below.

This is for Ubuntu Linux 18.04.5, using pass, git, gpg, saml2aws, and AWS CLI (v1).

  1. Install pass: https://www.passwordstore.org/#download
  2. Install gpg: 
    $ sudo apt-get install gnupg2
  3. Generate a GPG key: 
    $ gpg -v --quick-generate-key EMAIL-ADDRESS
  4. Set up pass store: 
    $ pass init EMAIL-ADDRESS
$ pass git init
  5. Set up saml2aws: 
    $ saml2aws configure

  6. Set up AWS config file ~/.aws/config:

    [profile nonprod]
region = us-east-1
output = json
credential_process = saml2aws login --skip-prompt --quiet --credential-process --role arn:aws:iam::NONPRODAWSACCTID:role/ROLENAME --profile nonprod-saml2aws

[profile production]
region = us-east-1
output = json
credential_process = saml2aws login --skip-prompt --quiet --credential-process --role arn:aws:iam::PRODAWSACCTID:role/ROLENAME --profile production-saml2aws
  7. Make sure saml2aws can load your credentials automatically without prompting (if you get a password prompt, it should be from your system keychain/gpg, not saml2aws): 
    $ saml2aws list-roles --skip-prompt
  8. Test AWS CLI: 
    aws --profile production s3 ls

NOTE: You must use either a fully-qualified path with a custom --credentials-file, or a different --profile argument for saml2aws. Otherwise, the credentials for the AWS profile will be stored in the default ~/.aws/credentials file. When the credentials expire, AWS will load those credentials for the AWS profile before running credential_process, leading to AWS refusing to refresh your session once it expires.

NOTE 2: If you use pass and gpg as above, and your system defaults to using pinentry-curses or pinentry-tty, your shell's .profile MUST export the following environment variable, or the pinentry program used by gpg will not be able to read your password in the correct terminal:

   export GPG_TTY=$(tty)
arthurhobspice commented 1 month ago

Stumbled over this old discussion while looking for a keyring backend for MacOS. While I was able to configure saml2aws to use the pass backend on Ubuntu Linux, adhering to the README, I followed the same sequence of steps on MacOS, but without success.

After running:

saml2aws configure
? Please choose a provider: AzureAD
? Please choose an MFA Auto
? AWS Profile default
? URL https://account.activedirectory.windowsazure.com
? Username ***
? App ID ***

? Password ***
? Confirm ***

account {
  AppID: ***
  URL: https://account.activedirectory.windowsazure.com
  Username: ***
  Provider: AzureAD
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 7200
  Profile: default
  RoleARN: 
  Region: 
}

Configuration saved for IDP account: default

the command pass list does not show any entry saml2aws, unlike on Linux.

MacOS Sonoma 14.5 on MacBook Pro M2 (arm architecture) saml2aws version 2.36.15 pass version 1.7.4 installed with Brew

The only workaround I found is adding a line to .zshrc like this:

export SAML2AWS_PASSWORD=$(pass show azuread)

where azuread represents my own manual entry for the Azure AD password.

Am I missing something? Or is pass backend for saml2aws simply not an option on MacOS?