lordwelch/aws-oidc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
aws-oidc/README.md
Jeremy Stott f8a7c0986f Added TOML cofiguration file support 
* configuration file located at ~/.aws-oidc/config
 * sets default parameters, but can still be overridden on the cli
 * named AuthProviders are accessible via the auth [name] command
Renamed exec command to auth. Upgraded auth command to take defaults from the config file.
Added new command exec, that puts the temporary credentials as environment variables in the specified command
Automatically append URL to end of auth command if not specified
2019-04-24 15:34:01 +12:00

84 lines
3.3 KiB
Markdown
Raw Blame History

# aws-oidc
Assume roles in AWS using an OpenID Connect Identity provider.
It outputs temporary AWS credentials in a JSON format that can be consumed by the credentials_process setting in ~/.aws/config.
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
Example:
aws-oidc auth \
--role_arn="arn:aws:iam::892845094662:role/onelogin-test-oidc" \
--duration=3600 \
--provider_url=https://openid-connect.onelogin.com/oidc \
--client_id=97a61160-3c09-0137-8c69-0a1c3f4fd822144813 \
--agent=open
All the provider arguments can be specified in a TOML configuration file:
region = "ap-southeast-2"
[[AuthProvider]]
name = "onelogin"
role_arn = "arn:aws:iam::012345678901:role/role-name"
duration = 900
provider_url = "https://openid-connect.onelogin.com/oidc"
client_id = "ef061080-43aa-0137-62f3-066d8813aeb888900"
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Default", "{}"]
[[AuthProvider]]
name = "google"
role_arn = "arn:aws:iam::012345678901:role/role-name"
duration = 900
provider_url = "https://accounts.google.com"
client_id = "430784603061-osbtei3s71l0bj6d8oegto0itefjmiq6.apps.googleusercontent.com"
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"]
This configuration file should be located in **~/.aws-oidc/config**
## Configure AWS Config
Add the profiles for each role you want to assume to **~/.aws/config**. Specify the provider name from the configuration file, and override any default settings:
[profile engineer]
credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::892845094662:role/onelogin-test-oidc --duration 7200
Now you can use the AWS cli as normal, and specify the profile:
$ aws --profile engineer sts get-caller-identity
{
"UserId": "AROAJUTXNWXGCAEILMXTY:50904038",
"Account": "892845094662",
"Arn": "arn:aws:sts::892845094662:assumed-role/onelogin-test-oidc/50904038"
}
## Run other commands with credentials
Most AWS SDK's should be able to pick up the profile parameter, and suppor the `credentials_process` setting in your **~/.aws/config** file. If not, you can run an arbitary command with the temporary credentials with `exec`:
aws-oidc exec engineer -- ./path/to/command with arguments
This will use the profiles defined in **~/.aws/config** to assume the role with `aws-oidc` and then set `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables for the new process.
## Find roles that an oidc client could assume
Use the `list` command to find roles that your claim and client_id can assume:
aws-oidc list --claim="openid-connect.onelogin.com/oidc:aud" --client_id="ef061080-43aa-0137-62f3-066d8813aeb888900"
Example using only the AWS CLI:
aws iam list-roles --query <<EOF '
Roles[?
AssumeRolePolicyDocument.Statement[?
Condition.StringEquals."openid-connect.onelogin.com/oidc:aud"
]
].{
RoleName:RoleName,
Arn:Arn,
ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."openid-connect.onelogin.com/oidc:aud" | [0]
} | [?
contains(ClientId, `ef061080-43aa-0137-62f3-066d8813aeb888900`)
]'
EOF
Reference in New Issue View Git Blame Copy Permalink