在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):cevoaustralia/aws-google-auth开源软件地址(OpenSource Url):https://github.com/cevoaustralia/aws-google-auth开源编程语言(OpenSource Language):Python 83.0%开源软件介绍(OpenSource Introduction):aws-google-authThis command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) provider. SetupYou'll first have to set up Google Apps as a SAML identity provider (IdP) for AWS. There are tasks to be performed on both the Google Apps and the Amazon sides; these references should help you with those configurations:
If you need a fairly simple way to assign users to roles in AWS accounts, we have another tool called Google AWS Federator that might help you. Important DataYou will need to know Google's assigned Identity Provider ID, and the ID that they assign to the SAML service provider. Once you've set up the SAML SSO relationship between Google and AWS, you
can find the SP ID by drilling into the Google Apps console, under
You can find the InstallationYou can install quite easily via # For basic installation
localhost$ sudo pip install aws-google-auth
# For installation with U2F support
localhost$ sudo pip install aws-google-auth[u2f] Note If using ZSH you will need to quote the install, as below: localhost$ sudo pip install "aws-google-auth[u2f]" If you don't want to have the tool installed on your local system, or if you prefer to isolate changes, there is a Dockerfile provided, which you can build with: # Perform local build
localhost$ cd ..../aws-google-auth && docker build -t aws-google-auth .
# Use the Docker Hub version
localhost$ docker pull cevoaustralia/aws-google-auth DevelopmentIf you want to develop the AWS-Google-Auth tool itself, we thank you! In order to help you get rolling, you'll want to install locally with pip. Of course, you can use your own regular workflow, with tools like virtualenv. # Install (without U2F support)
pip install -e .
# Install (with U2F support)
pip install -e .[u2f] We welcome you to review our code of conduct and contributing documents. Usage$ aws-google-auth -h
usage: aws-google-auth [-h] [-u USERNAME] [-I IDP_ID] [-S SP_ID] [-R REGION]
[-d DURATION] [-p PROFILE] [-D] [-q]
[--bg-response BG_RESPONSE]
[--saml-assertion SAML_ASSERTION] [--no-cache]
[--print-creds] [--resolve-aliases]
[--save-failure-html] [--save-saml-flow] [-a | -r ROLE_ARN] [-k]
[-l {debug,info,warn}] [-V]
Acquire temporary AWS credentials via Google SSO
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Google Apps username ($GOOGLE_USERNAME)
-I IDP_ID, --idp-id IDP_ID
Google SSO IDP identifier ($GOOGLE_IDP_ID)
-S SP_ID, --sp-id SP_ID
Google SSO SP identifier ($GOOGLE_SP_ID)
-R REGION, --region REGION
AWS region endpoint ($AWS_DEFAULT_REGION)
-d DURATION, --duration DURATION
Credential duration (defaults to value of $DURATION, then
falls back to 43200)
-p PROFILE, --profile PROFILE
AWS profile (defaults to value of $AWS_PROFILE, then
falls back to 'sts')
-D, --disable-u2f Disable U2F functionality.
-q, --quiet Quiet output
--bg-response BG_RESPONSE
Override default bgresponse challenge token ($GOOGLE_BG_RESPONSE).
--saml-assertion SAML_ASSERTION
Base64 encoded SAML assertion to use.
--no-cache Do not cache the SAML Assertion.
--print-creds Print Credentials.
--resolve-aliases Resolve AWS account aliases.
--save-failure-html Write HTML failure responses to file for
troubleshooting.
--save-saml-flow Write all GET and PUT requests and HTML responses to/from Google to files for troubleshooting.
-a, --ask-role Set true to always pick the role
-r ROLE_ARN, --role-arn ROLE_ARN
The ARN of the role to assume ($AWS_ROLE_ARN)
-k, --keyring Use keyring for storing the password.
-l {debug,info,warn}, --log {debug,info,warn}
Select log level (default: warn)
-V, --version show program's version number and exit Note If you want a longer session than the AWS default 3600 seconds (1 hour) duration, you must also modify the IAM Role to permit this. See the AWS documentation for more information. Native Python
Note You can skip prompts by either passing parameters to the command, or setting the specified Environment variables. Via Docker
You'll be prompted for your password. If you've set up an MFA token for your Google account, you'll also be prompted for the current token value. If you have a U2F security key added to your Google account, you won't be able to use this via Docker; the Docker container will not be able to access any devices connected to the host ports. You will likely see the following error during runtime: "RuntimeWarning: U2F Device Not Found". If you have more than one role available to you (and you haven't set up ROLE_ARN), you'll be prompted to choose the role from a list. Feeding password from stdinTo enhance usability when using third party tools for managing passwords (aka password manager) you can feed data in
When receiving data from Before #82, all interactive prompts could be fed from Example usage:
Note: this feature is intended for password manager integration, not for passing passwords from command line. Please use interactive prompt if you need to pass the password manually, as this provide enhanced security avoid password leakage to shell history. Storage of profile credentialsThrough the use of AWS profiles, using the When re-authenticating using the same profile, the values will be remembered to speed up the re-authentication process. This enables an approach that enables you to enter your username, IPD and SP values once and then after only need to re-enter your password (and MFA if enabled). Creating an alias as below can be a quick and easy way to re-authenticate with a simple command shortcut.
Or, if you've alredy established a profile with valid cached values:
Notes on AuthenticationGoogle supports a number of 2-factor authentication schemes. Each of these
results in a slightly different "next" URL, if they're enabled, during Google controls the preference ordering of these schemes in the case that you have multiple ones defined. The varying 2-factor schemes and their representative URL fragments handled by this tool are:
AcknowledgmentsThis work is inspired by keyme -- their digging into the guts of how Google SAML auth works is what's enabled it. The attribute management and credential injection into AWS configuration files was heavily borrowed from aws-adfs <https://github.com/venth/aws-adfs> |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论