From fcf101f9441249bfc258be4b1669d216eca89ba5 Mon Sep 17 00:00:00 2001 From: Jeremy Stott Date: Tue, 11 Jun 2019 13:46:27 +1200 Subject: [PATCH] Update README.md --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 71a0258..625cf91 100644 --- a/README.md +++ b/README.md @@ -10,21 +10,23 @@ https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentia ## Getting Started -For example, add the following to **~/.aws/config**: +Add the following to **~/.aws/config**: [profile default] + region = us-east-1 credential_process = /Users/jeremy/projects/aws-oidc/aws-oidc auth google And configure aws-oidc by creating **~/.aws-oidc/config** and setting the `role_arn` and `client_id`: - region = "ap-southeast-2" + region = "us-east-1" [[AuthProvider]] name = "google" - role_arn = "arn:aws:iam::012345678901:role/role-name" + role_arn = "arn:aws:iam::0123456789012:role/your-role-name" duration = 900 provider_url = "https://accounts.google.com" - client_id = "430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com" + client_id = "YOUR_CLIENT_ID" + client_secret = "YOUR_CLIENT_SECRET" # only specify this if your OIDC provider requires it even when using PKCE agent = ["open", "-b", "com.google.chrome"] Then you can assume the role using the AWS cli: @@ -39,9 +41,9 @@ Most AWS SDK implementations should be able to use the `credential_process` conf ## Open Chrome with a particular profile -Open `chrome://version/` in the Chrome profile you want to open as, and make a note of the last part of the profile path. +Open `chrome://version/` in the Chrome profile you want to authenticate in, and make a note of the last part of the profile path. -Update the `agent` option with the profile path in your **~/.aws-oidc/config** file: +Update the `agent` option with the path in your **~/.aws-oidc/config** file: agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"] @@ -50,7 +52,7 @@ Update the `agent` option with the profile path in your **~/.aws-oidc/config** f Add the profiles for each role you want to assume to **~/.aws/config**. Specify the provider name from the configuration file, and override any default settings: [profile engineer] - credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::892845094662:role/onelogin-test-oidc --duration 7200 + credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::0123456789012:role/your-role-name --duration 7200 Make sure each authentication provider exists in **~/.aws-oidc/config**. You can also override any of the configured settings here on the command line. @@ -70,7 +72,7 @@ This will use the profiles defined in **~/.aws/config** to assume the role by ca Use the `list` command to find roles that your claim and client_id can assume: - aws-oidc list --claim="accounts.google.com:aud" --client_id="430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com" + aws-oidc list --claim="accounts.google.com:aud" --client_id="CLIENT_ID" Example using only the AWS CLI: @@ -84,7 +86,7 @@ Example using only the AWS CLI: Arn:Arn, ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."accounts.google.com:aud" | [0] } | [? - contains(ClientId, `430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com`) + contains(ClientId, `CLIENT_ID`) ]' EOF