search

iann0036 / former2

Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources.
https://former2.com
MIT License
2.24k stars 269 forks source link

Support for AWS Federated Accounts (SSO login) #74

Open bakshigit opened 4 years ago

bakshigit commented 4 years ago

Hello,

I have a work setup whereby we login to AWS console using a Federated login (SSO) with ldap authentication. In this situation , I don't have Secret keys for using former2 and also dont have privileges to create a new IAM user.

Any workaround for this situation ?

I can however connect to aws using a cli with validation with SAML , is there a cli option available for former2 ?

Thanks

iann0036 commented 4 years ago

Hi @bakshigit,

Although there is a Former2 CLI option available, it's probably too limiting for this case.

Usually, if you can use the AWS CLI with your SAML credentials, it's already generating a temporary set of credentials for you. If you navigate to ~/.aws/credentials after authenticating to your SAML provider, you'll find and access key, secret key and session token. All three of these must be entered in the credentials screen for it to work.

If you're still unsure, please let me know specifically how you authenticate to your provider via the CLI and what OS you're running.

bakshigit commented 4 years ago

Thanks for the reply. So after validating the auth thru SAML my aws credentials file looks like this (actual values changed) : [default] aws_access_key_id=hjkhkjhkjhkjk aws_secret_access_key=g/klj;k;k;k; aws_session_token="hhgkdl;gkdfl;kg;ldfkg;ldk"

Now , installed the former2 using the npm build.

On executing the below command former2 generate --output-cloudformation "cloudformation.yml"

i get the following in the clouformation.yml file

~> former2 generate --output-cloudformation "cloudformation.yml" ████████████████████████████████████████ 100% (103/103 services completed)

and i get the following in cloudformation.yml file

No resources generated

~

Is it because of the default role i get on authentication ? and no resources exist with that role , whis is true because all resources have been created with another role

Is it possible to pass the role name to the former2 cli or maybe change the role on aws cli before executing former2 (i dont know how to do that)

Thanks

iann0036 commented 4 years ago

Hi @bakshigit,

There isn't assume role support in the Former2 CLI, however you should be able to do it in the main site: https://former2.com/

In the Settings > Credentials area, enter 3 fields you've shown in your credentials file, as well as the ARN of the role you'd like to assume. You should then be able to use the service as originally intended, though your session credentials will need to be rotated as often as your session length.

bakshigit commented 4 years ago

Hi @bakshigit,

There isn't assume role support in the Former2 CLI, however you should be able to do it in the main site: https://former2.com/

In the Settings > Credentials area, enter 3 fields you've shown in your credentials file, as well as the ARN of the role you'd like to assume. You should then be able to use the service as originally intended, though your session credentials will need to be rotated as often as your session length.

hey Ian,

So i am able to copy credentials into the fields and also include the assumed role arn .

Now i am able to see the Compute resources (mainly ec2 instances) BUT none of the RDS instances/Clusters show up under the database and RDS section.

Do we need to turn on some other setting to see the database resources ?

Thanks

iann0036 commented 4 years ago

Hi @bakshigit,

There shouldn't be a difference between EC2 instances and RDS instances in this context.

Despite the fact RDS has CORS support, can I confirm you have the Former2 Helper browser extension installed? Can you also confirm the correct region is selected for your RDS resources?

If yes for both, could you also check your browsers console logs for any errors?

Congee commented 3 years ago

I got it work with https://github.com/99designs/aws-vault

e.g. vault exec development -- former2 generate --output-cloudformation cfn.yaml --output---services Lambda,ElastiCache,DynamoDB

urz9999 commented 3 years ago

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.