85 lines
3.3 KiB
Markdown
85 lines
3.3 KiB
Markdown
# aws-oidc
|
|
|
|
Assume roles in AWS using an OpenID Connect Identity provider.
|
|
|
|
It outputs temporary AWS credentials in a JSON format that can be consumed by the credentials_process setting in ~/.aws/config.
|
|
|
|
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
|
|
|
|
Example:
|
|
|
|
aws-oidc auth \
|
|
--role_arn="arn:aws:iam::892845094662:role/onelogin-test-oidc" \
|
|
--duration=3600 \
|
|
--provider_url=https://openid-connect.onelogin.com/oidc \
|
|
--client_id=97a61160-3c09-0137-8c69-0a1c3f4fd822144813 \
|
|
--agent=open
|
|
|
|
All the provider arguments can be specified in a TOML configuration file:
|
|
|
|
region = "ap-southeast-2"
|
|
|
|
[[AuthProvider]]
|
|
name = "onelogin"
|
|
role_arn = "arn:aws:iam::012345678901:role/role-name"
|
|
duration = 900
|
|
provider_url = "https://openid-connect.onelogin.com/oidc"
|
|
client_id = "ef061080-43aa-0137-62f3-066d8813aeb888900"
|
|
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Default", "{}"]
|
|
|
|
[[AuthProvider]]
|
|
name = "google"
|
|
role_arn = "arn:aws:iam::012345678901:role/role-name"
|
|
duration = 900
|
|
provider_url = "https://accounts.google.com"
|
|
client_id = "430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com"
|
|
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"]
|
|
|
|
This configuration file should be located in **~/.aws-oidc/config**
|
|
|
|
## Configure AWS Config
|
|
|
|
Add the profiles for each role you want to assume to **~/.aws/config**. Specify the provider name from the configuration file, and override any default settings:
|
|
|
|
[profile engineer]
|
|
credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::892845094662:role/onelogin-test-oidc --duration 7200
|
|
|
|
Now you can use the AWS cli as normal, and specify the profile:
|
|
|
|
$ aws --profile engineer sts get-caller-identity
|
|
{
|
|
"UserId": "AROAJUTXNWXGCAEILMXTY:50904038",
|
|
"Account": "892845094662",
|
|
"Arn": "arn:aws:sts::892845094662:assumed-role/onelogin-test-oidc/50904038"
|
|
}
|
|
|
|
## Run other commands with credentials
|
|
|
|
Most AWS SDK's should be able to pick up the profile parameter, and suppor the `credentials_process` setting in your **~/.aws/config** file. If not, you can run an arbitary command with the temporary credentials with `exec`:
|
|
|
|
aws-oidc exec engineer -- ./path/to/command with arguments
|
|
|
|
This will use the profiles defined in **~/.aws/config** to assume the role with `aws-oidc` and then set `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables for the new process.
|
|
|
|
## Find roles that an oidc client could assume
|
|
|
|
Use the `list` command to find roles that your claim and client_id can assume:
|
|
|
|
aws-oidc list --claim="openid-connect.onelogin.com/oidc:aud" --client_id="ef061080-43aa-0137-62f3-066d8813aeb888900"
|
|
|
|
Example using only the AWS CLI:
|
|
|
|
aws iam list-roles --query <<EOF '
|
|
Roles[?
|
|
AssumeRolePolicyDocument.Statement[?
|
|
Condition.StringEquals."openid-connect.onelogin.com/oidc:aud"
|
|
]
|
|
].{
|
|
RoleName:RoleName,
|
|
Arn:Arn,
|
|
ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."openid-connect.onelogin.com/oidc:aud" | [0]
|
|
} | [?
|
|
contains(ClientId, `ef061080-43aa-0137-62f3-066d8813aeb888900`)
|
|
]'
|
|
EOF
|