Open the users web browser, let him login there, and then we catch the SAML.
Its slightly annoying, because google will only send the SAML to a valid https server. To work around this, I have a server that can be hosted serverless-ly somewhere, and it will forward the SAML to http://127.0.0.1:8000, where the python client is waiting for it.
Credential Process:
AWS cli supports an config, credential_process, that means it can trigger a process to get the credentials for a profile. These changes allow aws-google-auth to be this process. Now everything is magic.
There are a couple of changes required for this - basically aws cli wont call the process if there are any keys in credentials file - even if its expired, but it also doesn't have its own credentials cache, so basically we write the creds to the credentials file under a different name and use this as a cache. I keep it in the credentials file so that the security properties as the same as normal.
There are two features that join into each other:
Browser Login:
Open the users web browser, let him login there, and then we catch the SAML. Its slightly annoying, because google will only send the SAML to a valid https server. To work around this, I have a server that can be hosted serverless-ly somewhere, and it will forward the SAML to http://127.0.0.1:8000, where the python client is waiting for it.
Credential Process:
AWS cli supports an config,
credential_process
, that means it can trigger a process to get the credentials for a profile. These changes allow aws-google-auth to be this process. Now everything is magic.There are a couple of changes required for this - basically aws cli wont call the process if there are any keys in credentials file - even if its expired, but it also doesn't have its own credentials cache, so basically we write the creds to the credentials file under a different name and use this as a cache. I keep it in the credentials file so that the security properties as the same as normal.