ghost
commented
2 years ago Hi :wave: Do you know if there is a blocker that prevents merging this feature to the repository ?
Open mcfedr opened 3 years ago
ghost
commented
2 years ago Hi :wave: Do you know if there is a blocker that prevents merging this feature to the repository ?
mcfedr
commented
2 years ago @ph-kpichou since making this MR, I've actually reworked the project into something quite different from the original, that only uses browser based login, if you are interested its now the main branch at https://github.com/ekreative/aws-saml-auth
ghost
commented
2 years ago Thanks @mcfedr, I'll probably give it a try :)
mcfedr
commented
2 years ago I'd be interested to know if someone else can make it work
ghost
commented
2 years ago Actually, I'm not. I tried a bit this morning but with no success. I run this command
aws-saml-auth --credential-process -L https://accounts.google.com/o/saml2/initsso\?idpid\=MYIDP\&spid\=MYSP\&forceauthn\=false -R eu-west-1 -r arn:aws:iam::AWSACCOUNT:role/administrator -A AWSACCOUNTA browser tab opened, I can cannot to my Google account, then I can choose the account/role I want to use on AWS, and get logged to the console. This is the exact same process for me as when I want to log-in to the console using SAML. But on the CLI, nothing else happen. I just have the WARNING:root:Opening url BLAH message, and it hangs.
I guess I'm doing it correctly, but I don't know what is not working. Few things that might be an issue I thought about :
mcfedr
commented
2 years ago To use this version you need to add a new google workspace app - https://github.com/ekreative/aws-saml-auth/blob/main/README.rst#setup-aws-saml-and-google-workspace - this is so that the redirect goes to the cli http listener instead of that AWS choose account page.
ghost
commented
2 years ago Oh sure, sorry I didn't read well. I'll try and tell you if it works :) Thanks !
This adds the possibility to not login to google on the cli, but instead go to the users browser and use his google session, and have it passed back to the cli.
It works by setting up a GSuite SAML app that doesnt send the user direct to aws, but instead to a server that is in the python app, this can then capture the SAML and use it to access AWS.