Open brainstorm opened 4 years ago
zeroaltitude
commented
4 years ago My question @brainstorm is, how does this solve getting the Google SSO dance automated? The value of projects like aws-google-auth is actually handing the Google side, and that is the side that to this day remains tricky. How do you accomplish that with yawsso? I read the page, and don't understand.
brainstorm
commented
4 years ago @zeroaltitude Setting up AWS SSO with Google is fairly straightforward with SAML, here's a step by step guide (one of many):
https://deductivelabs.com/blog/aws/amazon-web-services-sso-authentication-with-google-gsuite/
Yawsso only covers the "last mile" tools like terraform or CDK that do not yet support AWS SSO but just plain AWS CLI v1, as mentioned above w/ the AWS SDK Go pending issue.
zeroaltitude
commented
4 years ago OK, sorry, I have a better idea of what I mean to ask.
First off, this project here depends on much of your instructions: you do still create a GSuite AWS SSO Google App and then an AWS IAM identity SAML provider.
The thing I'm missing is this. My next step is to simply automate AWS cred creation using this tool here. Your suggestion is, use AWS SSO, and if you're using aws CLI v2, you're done, and if not, you can use yawsso to copy the creds into the V1 format. Great.
But AWS SSO does two things I either don't like or don't understand. 1) It forces you to provision AWS users, rather than just use your IAM roles set up for IDP. I would prefer not to do this. But I would if it were the only way. However, 2) the AWS SSO page suggests that it doesn't have any proven support for Google yet. Or at least, the documentation here: https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html doesn't list Google. It lists Active Directory, Azure and OKTA. I don't want to then also link OKTA to Google -- too many steps.
So really my only question is: is there an easy way to use AWS SSO with GSuite? I can't seem to find a clear answer on that.
zeroaltitude
commented
4 years ago Oh, huh, nevermind, found it: https://medium.com/@io_78824/introduction-8a480b2df991
Less than 6 months old. This looks promising.
EDIT: But there's a fatal flaw. Google doesn't yet support the dynamic identity creation. Which means I have to manually provision users.
TL;DR: I still see a role for the current project, but I agree that it looks like AWS and Google will someday solve this.
brainstorm
commented
4 years ago Yeah, SCIM is still lacking, that's together with having to use the yawsso "bridge", the only significant drawback, other than that, works a treat!
brokenthumbs
commented
3 years ago Referencing a ticket here on the aws-cli repo, to track the progress.
stevemac007
commented
3 years ago Thanks for the question - something we should constantly be looking at. I'd love to be able to retire this tool, especially given how lax I've been during 2020 responding to issues and keeping it updated. But there does still seem to be a demand for keeping this alive in the meantime.
I'm aiming to get a run at some uplift here over the next week or so to resolve any key blockers - the first of which is to move off Travis CI to GitHub Actions - and look into the remaining PR's.
brainstorm
commented
3 years ago @stevemac007 At least put a reference/link to the very beginning of the README pointing to this issue?
In our experience, our transition to AWS SSO has been the difference between tons of bad UX reports with aws-google-auth, mostly related to crawling Google's HTML/auth details as this project does.
In contrast, we got 0 related issues with AWS SSO... inform new users on the README.md!
brainstorm
commented
3 years ago Btw, support for CLIv2 on AWS Terraform provider has just been merged: https://github.com/hashicorp/terraform-provider-aws/issues/10851#issuecomment-769434408
The AWS Go SDK is supporting it now, so that was pretty much the last inconvenience milestone to fully adopt SSO I reckon: https://github.com/hashicorp/terraform-provider-aws/pull/17340/files
We recently migrated and use AWS SSO and yawsso as a CLI v1 backwards compatibility workaround. Other than this minor temporary patch (due to an unfixed AWS Go SDK issue) it has been way more reliable than this @cevoaustralia's (and others) web scraping approaches.
Please don't get me wrong, this project has been instrumental for a while at our organization but I suspect that the scraping limitations (and reliability) will only get worse over time, driving folks away from deploying reliable SSO systems.
In other words: what's the current value proposition of this project vs AWS SSO? Any additional features that I'm not aware of? Happy to be wrong about this!
/cc @reisingerf @victorskl