search

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.
MIT License
212 stars 37 forks source link

Allow for usage of aws config file for google config like aws-google-auth does #57

Closed nickphbrown closed 1 year ago

nickphbrown commented 2 years ago

Using the aws config file for the google config helps with managing many profiles that assume a different role each.

Rather than having to remember the role arns for different profiles and pass them to the gsts command it would be handy for gsts to look in the aws config based on the aws-profile that I pass it.

See an example of a config item used for aws-google-auth below along with a link to the part in the code where the file is read and config is set

[profile {profile_name}]
region = {region}
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = {idp_id}
google_config.google_sp_id = {sp_id}
google_config.u2f_disabled = False
google_config.google_username = {user_name}
google_config.bg_response = None
google_config.role_arn = arn:aws:iam::{account_id}:role/{role_name}

https://github.com/cevoaustralia/aws-google-auth/blob/19a48a54fa69e5874764b9764da3f6bac6312777/aws_google_auth/configuration.py#L163

nickphbrown commented 2 years ago

I'm happy to attempt a PR for this btw, as long as I get the OK that there's nothing against the idea

ruimarinho commented 2 years ago

Hey @nickphbrown. Doesn't https://github.com/ruimarinho/gsts/blob/bde055fa130ca0e99097c8e0aee0b3c05325920e/credentials-manager.js#L203-L222 serve that purpose already?

nickphbrown commented 2 years ago

@ruimarinho It doesn’t. The part you’ve quoted shows the credentials being saved to the aws credentials file.

What I’d like is to be able to run the command ‘gsts —aws-profile {profile-name}’ and it picks up the ‘aws-role-arn’, ‘sp-id’, ‘idp-id’ and ‘username’ from the aws config file.

That way I don’t need to use the aws ‘credential_process’ feature but can still easily get credentials for any profile without having to know any other information than the profile name

joao-spring commented 2 years ago

Rui! Esta functionalidade está a tornar-se uma questão de orgulho nacional! Trabalho nos EUA e usavamos aws-google-auth, mas com os problemas que essa ferramenta teve esta semana e falta de manutenção, resolvemos mudara para gsts.

Eis a minha reacção:

image

mas depois:

image image

Ok, brincadeiras à parte:

  1. Muito obrigado por esta ferramenta. Melhor que o aws-google-auth.
  2. A funcionalidade deste ticket seria muito bem vinda
ruimarinho commented 1 year ago

This feature will land on the next major via https://github.com/ruimarinho/gsts/pull/82!