saml2aws

package module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 11, 2016 License: MIT Imports: 21 Imported by: 0

README

saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using SAML with ADFS 3.x.

The process goes something like this:

  • Prompt user for credentials
  • Authenticate to ADFS using formbased auth
  • Build a SAML assertion containing AWS roles
  • Exchange the role and SAML assertion with AWS STS service to get a temporary set of credentials
  • Save these creds to an aws profile named "saml"

Requirements

  • ADFS 3.x
  • AWS SAML Provider configured

Usage

usage: saml2aws [<flags>] <hostname>

Flags:
      --help        Show context-sensitive help (also try --help-long and --help-man).
  -s, --skipVerify  Skip verification of server certificate.
  -p, --saml-profile-name="saml"
                    The AWS profile to save the temporary credentials
      --version     Show application version.

Args:
  <hostname>  Hostname of the ADFS service

Setup

Install the AWS CLI see https://docs.aws.amazon.com/cli/latest/userguide/installing.html, in our case we are using homebrew on OSX.

brew install awscli

Configure an empty default profile with your region of choice.

$ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-west-2
Default output format [None]:

Then your ready to use saml2aws.

Example

$ saml2aws id.example.com --skipVerify
ADFS https://id.example.com
Enter Username: wolfeidau@example.com
Enter Password:
Authenticating to ADFS...
Please choose the role you would like to assume:
[ 0 ]:  arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSBuild
[ 1 ]:  arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd
Selection: 1
selected role: arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2016-09-10 23:01:50 +1000 AEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).

License

This code is Copyright (c) 2015 Versent and released under the MIT license. All rights not explicitly granted in the MIT license are reserved. See the included LICENSE.md file for more details.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrCredentialsHomeNotFound returned when a user home directory can't be located.
	ErrCredentialsHomeNotFound = errors.New("user home directory not found")

	// ErrCredentialsFileNotFound returned when the required aws credentials file doesn't exist.
	ErrCredentialsFileNotFound = errors.New("aws credentials file not found")
)
View Source 
var (
	ErrMissingAssertion = ErrMissingElement{Tag: assertionTag}
)

ErrMissingAssertion indicates that an appropriate assertion element could not be found in the SAML Response

Functions

func ExtractAwsRoles added in v1.0.0 

func ExtractAwsRoles(data []byte) ([]string, error)

Types

type ADFSClient added in v1.0.0 

type ADFSClient struct {
	// contains filtered or unexported fields
}

ADFSClient wrapper around ADFS enabling authentication and retrieval of assertions

func NewADFSClient added in v1.0.0 

func NewADFSClient(endpointURL string, skipVerify bool) (*ADFSClient, error)

NewADFSClient create a new ADFS client

func (*ADFSClient) Authenticate added in v1.0.0 

func (ac *ADFSClient) Authenticate(creds *LoginCreds) (string, error)

Authenticate authenticate to ADFS and return the data from the body of the SAML assertion.

type AWSRole added in v1.0.0 

type AWSRole struct {
	RoleARN      string
	PrincipalARN string
}

AWSRole aws role attributes

func PromptForAWSRoleSelection added in v1.0.0 

func PromptForAWSRoleSelection(roles []string) (*AWSRole, error)

PromptForAWSRoleSelection present a list of roles to the user for selection

type CredentialsProvider added in v1.0.0 

type CredentialsProvider struct {
	Filename string
	Profile  string
}

CredentialsProvider loads aws credentials file

func NewSharedCredentials added in v1.0.0 

func NewSharedCredentials(profile string) *CredentialsProvider

NewSharedCredentials helper to create the credentials provider

func (*CredentialsProvider) Exists added in v1.0.0 

func (p *CredentialsProvider) Exists() error

Exists verify that the credentials file exists

func (*CredentialsProvider) Save added in v1.0.0 

func (p *CredentialsProvider) Save(id, secret, token string) error

Save persist the credentials

type ErrMissingElement 

type ErrMissingElement struct {
	Tag, Attribute string
}

ErrMissingElement is the error type that indicates an element and/or attribute is missing. It provides a structured error that can be more appropriately acted upon.

func (ErrMissingElement) Error 

func (e ErrMissingElement) Error() string

type LoginCreds added in v1.0.0 

type LoginCreds struct {
	Username string
	Password string
}

LoginCreds credentials used to authenticate to ADFS

func PromptForLoginCreds added in v1.0.0 

func PromptForLoginCreds() (*LoginCreds, error)

PromptForLoginCreds prompt the user to present their username and password

Source Files

View all Source files

Directories

Path Synopsis
cmd
saml2aws

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.