lordwelch/aws-oidc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
aws-oidc/README.md
Jeremy Stott 33405edd87
Update README.md
2019-04-24 19:17:08 +12:00

3.3 KiB
Raw Blame History

aws-oidc

Assume roles in AWS using an OpenID Connect Identity provider.

It outputs temporary AWS credentials in a JSON format that can be consumed by the credentials_process setting in ~/.aws/config.

https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

Example:

aws-oidc auth \
  --role_arn="arn:aws:iam::892845094662:role/onelogin-test-oidc" \
  --duration=3600 \
  --provider_url=https://openid-connect.onelogin.com/oidc \
  --client_id=97a61160-3c09-0137-8c69-0a1c3f4fd822144813 \
  --agent=open

All the provider arguments can be specified in a TOML configuration file:

region = "ap-southeast-2"

[[AuthProvider]]
name = "onelogin"
role_arn = "arn:aws:iam::012345678901:role/role-name"
duration = 900
provider_url = "https://openid-connect.onelogin.com/oidc"
client_id = "ef061080-43aa-0137-62f3-066d8813aeb888900"
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Default", "{}"]

[[AuthProvider]]
name = "google"
role_arn = "arn:aws:iam::012345678901:role/role-name"
duration = 900
provider_url = "https://accounts.google.com"
client_id = "430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com"
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"]

This configuration file should be located in ~/.aws-oidc/config

Configure AWS Config

Add the profiles for each role you want to assume to ~/.aws/config. Specify the provider name from the configuration file, and override any default settings:

[profile engineer]
credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::892845094662:role/onelogin-test-oidc --duration 7200

Now you can use the AWS cli as normal, and specify the profile:

$ aws --profile engineer sts get-caller-identity
{
    "UserId": "AROAJUTXNWXGCAEILMXTY:50904038",
    "Account": "892845094662",
    "Arn": "arn:aws:sts::892845094662:assumed-role/onelogin-test-oidc/50904038"
}

Run other commands with credentials

Most AWS SDK's should be able to pick up the profile parameter, and suppor the credentials_process setting in your ~/.aws/config file. If not, you can run an arbitary command with the temporary credentials with exec:

aws-oidc exec engineer -- ./path/to/command with arguments

This will use the profiles defined in ~/.aws/config to assume the role with aws-oidc and then set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for the new process.

Find roles that an oidc client could assume

Use the list command to find roles that your claim and client_id can assume:

aws-oidc list --claim="openid-connect.onelogin.com/oidc:aud" --client_id="ef061080-43aa-0137-62f3-066d8813aeb888900"

Example using only the AWS CLI:

aws iam list-roles --query <<EOF '
Roles[?
  AssumeRolePolicyDocument.Statement[?
    Condition.StringEquals."openid-connect.onelogin.com/oidc:aud"
  ]
].{
  RoleName:RoleName,
  Arn:Arn,
  ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."openid-connect.onelogin.com/oidc:aud" | [0]
} | [?
  contains(ClientId, `ef061080-43aa-0137-62f3-066d8813aeb888900`)
]'
EOF