AWS Credentials Broker - Grants temporary AWS credentials for Google federated users
AWS Credentials Broker - Grants temporary AWS credentials for Google federated users
This app when deployed in your AWS account can grant STS credentials to Google SAML federated users for use in the AWS CLI. The flow is as follows:
callback_uri
is called with the STS credentials to store in the users' ~/.aws/credentials
file.https://www.googleapis.com/auth/admin.directory.user.readonly
Assuming you already have a SAML provider & roles setup for Google federated users. You need to add a trust relationship for out Google Client ID.
In our role we want to give to users, we need to edit the trust relationship policy document to add the following:
{
"Version": "2012-10-17",
"Statement": [
...
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<our new google client id>"
}
}
}
...
]
}
Key | Description |
---|---|
ALLOWED_ORIGIN | The URL of our broker app (e.g. https://aws-credentials-broker.example.org) |
GOOGLE_ADMIN_EMAIL | The email address of a Google Apps admin user (e.g. [email protected]) |
GOOGLE_CLIENT_ID | The Google OAuth2 client ID |
GOOGLE_CLIENT_REDIRECT | The callback URL of our broker app (e.g. https://aws-credentials-broker.example.org/oauth/google/callback) |
GOOGLE_CLIENT_SECRET | The Google OAuth2 client secret |
GOOGLE_SA_EMAIL | The Google Service Account User email |
GOOGLE_SA_PK | The Google Service Account User private key, base64 encoded |
HOSTED_DOMAIN | The Google domain to filter users for, ignored if left blank (Optional) |