/aws-credentials-from-saml

Intercepts AWS credentials from SAML SSO login

Primary LanguageJavaScriptMIT LicenseMIT

AWS credentials from SAML

The problem

Enterprise companies have a strong desire to centralise identity management into a single platform/solution, like Azure AD, Auth0, Okta, G-suite SAML provider or others. In this scenario one can get access to AWS through Federated SAML SSO (you can read about it here).

But there's a problem: if you live and breathe AWS, you certanly loathe clicking around on the console and you insist scripting the hell of out your infrastructure management. In the end it's 2019 and Infrastructure as Code is not even a buzzword anymore.

The solution

This is a browser extensino that allows you to get your job done without any causing any trouble. The extension incercepts the SAMLResponse sent from the IdP to AWS and uses AWS assumeRoleWithSAML API to obtain a set of credentials that you can use from the AWS CLI or any other application.

The credentials file is automatically downloaded to your download folder as you do the SAML login. The name of the file is set to always be credentials (overwriting the file if necessary). This allows you to point the AWS CLI to a stable file.

Configuring the AWS CLI

AWS CLI can read the location of the credentials file from the environment. Setting AWS_SHARED_CREDENTIALS_FILE to the credentials file in your browser's download folder should do the trick.

Assuming browser downloads files to the folder Downloads in your home, here is what you have to do.

On Linux/macOS: add the following to .bashrc or .bash_profile

export AWS_SHARED_CREDENTIALS_FILE=$HOME/Downloads/credentials

On Windows: open the terminal and type the following (has to be done only once, the change will persist)

setx AWS_SHARED_CREDENTIALS_FILE C:\Users\<username>\Downloads\credentials

Prior art

License

Licensed under MIT License