CLI to obtain JWT, SAML tokens, and AWS credentials using Auth0, OAuth and SAML.
Auth0 can be configured as the identity provider for the AWS, allowing your Auth0 users to directly log in to the AWS Console. Unfortunately, the functionality to obtain temporary access keys for calling AWS APIs and resources has been deprecated since June 8, 2017. With this command line utility, you can obtain AWS access keys through Auth0.
For this utility to work, I assume you have already integrated Auth0 with AWS as described in the article 'Configure SSO with the AWS Console'. If you have not done so, you can bootstrap yourself using the sample terraform configuration in this project.
For the utility to work, add the auth0-login application as a Single Page Application to Auth0, and enable the SAML2 Web App addon. On the Settings tab, set the Application Callback URL to http://localhost:12200/saml and paste the following SAML configuration code into settings page:
{
"recipient": "https://signin.aws.amazon.com/saml",
"audience": "https://signin.aws.amazon.com/saml",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
},
"createUpnClaim": false,
"passthroughClaimsWithNoMapping": false,
"mapUnknownClaimsAsIs": false,
"mapIdentities": false,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}This is identical to the AWS console configuration, with the exception of the type of application and the additional recipient field. This is to ensure that the
SAML assertion has AWS as the recipient and not the callback http://localhost:12200/saml.
Create a file ~/.saml-login with the following content:
[DEFAULT]
idp_url = https://<auth0-tenant>.auth0.com
client_id = <your-newly-added-client-id>Create a file ~/.aws-accounts with the following content:
[DEFAULT]
<aws-account-alias> = <aws-account-number>This allows you to specify the AWS account by alias, which greatly improves readibility.
To install the utility, type:
$ pip install auth0-loginTo show all available AWS roles. type:
$ saml-login aws-assume-role --show
[OAuthAdministrator@aws-alias]
idp_url = https://my-tenant.auth0.com
client_id = fJxw5Ir5E0eJDqdWkh+7VGI577uObvsFlAM0KZL5fI
aws_account = aws-alias
aws_role = OAuthAdministrator
aws_profile = OAuthAdministrator@aws-alias
[OAuthIdentity@aws-alias]
idp_url = https://my-tenant.auth0.com
client_id = fJxw5Ir5E0eJDqdWkh+7VGI577uObvsFlAM0KZL5fI
aws_account = aws-alias
aws_role = OAuthIdentity
aws_profile = OAuthIdentity@aws-aliasThis will start the browser for authentication, and output all available roles in the form of the individual sections in the configuration file.
Add the desired roles to your ~/.saml-login.
Now you can obtain the AWS access keys, by typing:
$ saml-login -c OAuthAdministrator@aws-alias aws-assume-role
INFO:Found credentials in shared credentials file: ~/.aws/credentials
INFO:credentials saved under AWS profile OAuthAdministrator@aws-aliasAgain you will be prompted by the the browser for authentication: the access keys are stored in ~/.aws/credentials.
There are two ways to open the AWS console:
$ saml-login -c OAuthAdministrator@aws-alias aws-assume-role --open-console
or using the credentials obtained earlier:
$ aws-console --profile OAuthAdministrator@aws-alias
With the command line utility, you can have SSO and temporary access keys for AWS using Auth0!