Connexion AWS CLI SSO avec saml2aws via un serveur DaaS [ENGLISH] | Agile Partner
share on

AWS CLI SSO login with saml2aws through a DaaS

« AWS CLI SSO login with saml2aws through a DaaS »: That’s a cryptic title hey!
Sure, but, in a nutshell, it’s what we needed here at work.

A few months ago, we implemented a Directory as a Service to replace our local Active Directory: Jumpcloud. We use it to integrate with Office 365, to centralise user access to machines, internal NAS (via ldap), our network wifi and VPN (via a radius server), to Single Sign On into « applications » like the AWS console, Jenkins, …

There’s a thing we needed and wasn’t natively implemented in Jumcloud: SSO with the AWS Command Line Interface. Searching through the documentation, it looks like there are 2 third party integrations that fit the bill.

The first one is jumpcloud-aws. That one fails to build on my Mac and looks like it’s simmering on the back burner. Next!

saml2aws. OK, that looks active and promising. Mac and Windows support. Easy installation via Homebrew and Chocolatey. Lots of providers supported, so if you are using another provider like Azure AD or Google Apps (and more), this might be your ticket too. A « brew install » command later, I am ready to test.

We had already done the setup to SSO into the AWS console of various accounts. After a quick glance at the command help and the online documentation, it looked like fairly straight forward: I basically need the Identity Provider URL. I’m going for the interactive test first.

~ via .env at ☸️  kubernetes-admin@kubernetes
➜ saml2aws configure
? Please choose a provider:  [Use arrows to move, type to filter]
  AzureAD
  F5APM
  GoogleApps
❯ JumpCloud
  KeyCloak
  Okta
  OneLogin

I chose Jumcloud and enter all the needed bits:

~ via .env at ☸️  kubernetes-admin@kubernetes
➜ saml2aws configure
? Please choose a provider: JumpCloud
? AWS Profile AP_AWS
? URL https://sso.jumpcloud.com/saml2/aws
? Username orobert@agilepartner.net
? Password **************
? Confirm **************
 
account {
  URL: https://sso.jumpcloud.com/saml2/aws
  Username: orobert@agilepartner.net
  Provider: JumpCloud
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 3600
  Profile: AP_AWS
  RoleARN:
}
 
Configuration saved for IDP account: default

MFA is enable and enforced, so at login, it should be requested as I left the configuration to ‘Auto’. The session duration might be something I want to increase (12 hours is the limit I think, but I don’t need that much). The RoleARN is not set interactively, so I should be able to chose at login.

~ via .env at ☸️  kubernetes-admin@kubernetes took 3m 1s
➜ saml2aws login
Using IDP Account default to access JumpCloud https://sso.jumpcloud.com/saml2/aws
To use saved password just hit enter.
? Username orobert@agilepartner.net
? Password **************
 
Authenticating as orobert@agilepartner.net ...
? MFA Token 952539
? Please choose the role  [Use arrows to move, type to filter]
  Account: 123456789012 / admin
  Account: 123456789012 / project-admin
❯ Account: agilepartner (123456789012) / admin

Yep I get to chose my Role (I replaced values by fake ones everywhere BTW). I chose my role, enter my credentials and the MFA token.

~ via .env at ☸️  kubernetes-admin@kubernetes took 3m 1s
➜ saml2aws login
Using IDP Account default to access JumpCloud https://sso.jumpcloud.com/saml2/aws
To use saved password just hit enter.
? Username orobert@agilepartner.net
? Password **************
 
Authenticating as orobert@agilepartner.net ...
? MFA Token 862505
? Please choose the role Account: agilepartner (123456789012) / admin
Selected role: arn:aws:iam::123456789012:role/admin
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::123456789012:assumed-role/admin/orobert@agilepartner.net
 
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2019-08-07 12:01:02 +0200 CEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile AP_AWS ec2 describe-instances)

Looks like we are in business!

~ via .env at ☸️  kubernetes-admin@kubernetes
➜ aws --profile AP_AWS s3 ls s3://cfntutorialbob --region eu-west-1
2019-08-06 14:06:00       3395 app.yaml
2019-08-06 12:28:42       2209 bastion.yaml
2019-08-06 10:17:28       8416 vpc.yaml

It’s working just fine: excellent! The configuration is stored in ~/.saml2aws.

To test again, I wiped the configuration in the ~/.saml2aws and the ~/.aws/credentials file and used the command line options.

~ via .env at ☸️  kubernetes-admin@kubernetes                                                                                                                                                                                                 ]
➜ saml2aws configure \
  --idp-account='AP_AWS' \
  --profile='AP_AWS' \
  --idp-provider='JumpCloud' \
  --mfa='Auto' \
  --url='https://sso.jumpcloud.com/saml2/aws' \
  --username='orobert@agilepartner.net' \
  --role='arn:aws:iam::123456789012:role/admin' \
  --session-duration=14400 \
  --skip-prompt
 
account {
  URL: https://sso.jumpcloud.com/saml2/aws
  Username: orobert@agilepartner.net
  Provider: JumpCloud
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 14400
  Profile: AP_AWS
  RoleARN: arn:aws:iam::123456789012:role/admin
}

Perfect, that avoids the interactive setup.

3 things to note from the command line version:

If you get an error related to the session duration, make sure it does not exceed the duration set for the AWS Role or you get a nice error reminding you to revise your choice or to rise the duration for the Role.

Selected role: arn:aws:iam::123456789012:role/admin
Requesting AWS credentials using SAML assertion
error logging into aws role using saml assertion: error retrieving STS credentials using SAML: ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
        status code: 400, request id: 6g03i8i2-b8fb-31e9-b7c5-27039754a26n

I went on and added a few configurations I use regularly. Once the configurations are set in ~/.saml2aws, we can just use one or the other idp account name.

~ via .env at ☸️  kubernetes-admin@kubernetes took 20s
➜ saml2aws login -a AP_AWS
Using IDP Account AP_AWS to access JumpCloud https://sso.jumpcloud.com/saml2/aws
To use saved password just hit enter.
? Username orobert@agilepartner.net
? Password **************
 
Authenticating as orobert@agilepartner.net ...
? MFA Token 611859
Selected role: arn:aws:iam::123456789012:role/admin
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::123456789012:assumed-role/admin/orobert@agilepartner.net
 
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2019-08-07 16:12:08 +0200 CEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile AP_AWS ec2 describe-instances).

While your sessions are valid, switching from one AWS account to the other is as simple as indicating the desired AWS profile at the command line: aws --profile AP_AWS ... and then aws --profile CLIENT1 ..., and so on …

When your session expired, log back in with saml2aws and happy days.

TIP: Always use ‘–profile’ when configuring an IDP account with saml2aws command line options or the AWS profile will be set by default to ‘saml’. This is fine if you have only one AWS account. But if you have multiple AWS accounts (and multiple IDP accounts set up), when you log into a new session, it would systematically replace the AWS ‘saml’ profile. This would make working with multiple accounts at the same time a pain. It can be easily avoided. « Make it so » – Captain Picard .

If you are rocking Jumpcloud and AWS, saml2aws should have a place in your tool-belt.

Want to know more? The experts of our Agile Software Factory are here to help you!

share on