XargsUK
commented
2 months ago Hi @upendramishradelhivery
You're correct that this extension automatically obtains temporary credentials using the SAML response when you log in via SAML, so there’s no need to create a new AWS IAM role, user, or AccessKey manually. Let me clarify what a "profile" refers to in this context:
A "profile" in AESR S3 Config Sender is essentially a set of configuration parameters that you define to connect to a specific S3 bucket where your AWS configuration files are stored.
For example, you might have different AWS configs stored in different AWS accounts, S3 buckets, etc. The use-case for the business I was at was that we had different AWS Organizations which had different switch roles configurations along with different SSO applications. Therefore, we would have:
- Profile
x: S3 bucket, region, file key for Orgxconfigs - Profile
y: S3 bucket, region, file key for Orgyconfigs
The only reason for the multiple profiles feature was due to a company merger I was in the middle of, so the Orgs/access were fragmented and they never did get centralised (honestly, despite my best efforts 😆).
If you’re using an external SAML IdP (Identity Provider), like Google or Azure AD, this extension captures the SAML response and uses it to assume the appropriate role using assumeRoleWithSAML.
However, if you’re using AWS SSO (Single Sign-On) and AWS as the IdP, this extension might not work out-of-the-box because AWS SSO doesn't produce a SAML assertion in the same way external IdPs do. If that’s the case for you, please let me know, and I’ll work out adding support for AWS SSO.
Also important, and I'll raise an issue on this repo to update the documentation for this, is that you allow requests to the S3 bucket from the Chrome/Firefox extension with a CORS policy.
Below is a little over-permissive, but shows the AllowedOrigin format for Chrome/Firefox extensions in the CORS:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"chrome-extension://chrome-extension-id",
"moz-extension://firefox-extension-id"
],
"ExposeHeaders": [
"ETag"
],
"MaxAgeSeconds": 3000
}
]If you keep having issues @upendramishradelhivery, if you could provide the debug logs (omitting secret information) alongside providing your use-case a little more (external IdP provider or internal, which one, etc) I can then help out a little bit more. Also if you'd prefer a bit more of a back-and-forth conversation, happy to jump into a discord chat to discuss further (my username is xargs), then once we work out the issue, you can post a little update here so that the findings are shared with future people reading this, and so you can control what is shared 👍🏼 Let me know, and I hope the above helps!
Hi, I am trying to use this plugin but looks like there is something that I am missing, First I want to understand what a profile should be, As per my understanding we don't need to create any new AWS IAM role/user/AccessKey this plugin will automatically get credentials from SAML response when we try to login using SAML. So could you please explain in detail what profile is exactly.
Expected behavior