Open mcfedr opened 3 years ago
Hi :wave: Do you know if there is a blocker that prevents merging this feature to the repository ?
@ph-kpichou since making this MR, I've actually reworked the project into something quite different from the original, that only uses browser based login, if you are interested its now the main branch at https://github.com/ekreative/aws-saml-auth
Thanks @mcfedr, I'll probably give it a try :)
I'd be interested to know if someone else can make it work
Actually, I'm not. I tried a bit this morning but with no success. I run this command
aws-saml-auth --credential-process -L https://accounts.google.com/o/saml2/initsso\?idpid\=MYIDP\&spid\=MYSP\&forceauthn\=false -R eu-west-1 -r arn:aws:iam::AWSACCOUNT:role/administrator -A AWSACCOUNT
A browser tab opened, I can cannot to my Google account, then I can choose the account/role I want to use on AWS, and get logged to the console. This is the exact same process for me as when I want to log-in to the console using SAML. But on the CLI, nothing else happen. I just have the WARNING:root:Opening url BLAH
message, and it hangs.
I guess I'm doing it correctly, but I don't know what is not working. Few things that might be an issue I thought about :
To use this version you need to add a new google workspace app - https://github.com/ekreative/aws-saml-auth/blob/main/README.rst#setup-aws-saml-and-google-workspace - this is so that the redirect goes to the cli http listener instead of that AWS choose account page.
Oh sure, sorry I didn't read well. I'll try and tell you if it works :) Thanks !
This adds the possibility to not login to google on the cli, but instead go to the users browser and use his google session, and have it passed back to the cli.
It works by setting up a GSuite SAML app that doesnt send the user direct to aws, but instead to a server that is in the python app, this can then capture the SAML and use it to access AWS.