Giter Club home page Giter Club logo

awssts's Introduction

Creating temporary login credentials for AWS CLI with STS

This tool was ported from a python script in the AWS samples s3 bucket [1].

However, it didn't work for me out of the box and used python 3 (by the time it got to me, I got it from a 3rd party) and I only had python 2.7 and I wanted to learn more go.

For when I can't remember, STS stands for Security Token Service

Install (with go tool chain)

go get -u github.com/NearlyUnique/awsSts

Download the Current release for your platform.

Change log

Target Platforms

It works on Windows, I've tested linux (bash on windows) there is no reason it won't work on OSX.

Usage

Common scenario;

  • My STS web login web page is here: https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
  • My other scripts are going to use the default AWS profile
  • Automatically select the role arn:aws:iam::123456789:role/my-role
  • Leave running in a state where I can automatically refresh my token with one key press when it expires in an hour
awsSts logon --url https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --profile default --role arn:aws:iam::123456789:role/my-role

--help for full details, including details of all parameters that can be read from environment.

Roadmap

  1. Override credential file location via flag
  2. Keep running and auto refresh before expiry (optional)
  3. Deal with naming of INPUT tags in the login form, the Python sample did some work in this area, I want to improve the guessing ability and allow the user to define it if we can't guess.
  4. add command to ease iam user creation
  5. add command to rotate iam user secrets
  6. Auto upgrade
  • use runtime.GOOS and _VERISON
  • call GET https://api.github.com/repos/NearlyUnique/awsSts/releases/latest
  {
    "tag_name": "0.7",
      "assets": [
        {
          "name": "awsSts-0.7-linux",
          "browser_download_url": "https://some-url"
        }
      ]
  }`
  • the browser_download_url may give a redirect

How it works

  1. Download the login form, we need the cookies
  2. Fill in the user name and password
  3. Post form back
  4. Parse the response HTML form
  5. Find the SAMLResponse INPUT element
  6. base64 decode it (it's now XML)
  7. Extract the Roles, select one
  8. Call AWS AssumeRoleWithSAML
  9. update the credentials ini file with the result

References

[1] https://s3.amazonaws.com/awsiammedia/public/sample/SAMLAPICLIADFS/samlapi_formauth_adfs3.py

awssts's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

codedemonuk timothysugar thomasmkt garrypas

awssts's Issues

Recognise password update response (0.6)

If you password expires, should detect that scenario

and optionally allow user to perform update

look for
<span id="expiredNotification">You must update your password because your password has expired.</span>

inputs

userNameInput
oldPasswordInput
newPasswordInput
confirmNewPasswordInput
submitButton
cancelButton

example form action

POST /adfs/portal/updatepassword?loginToRp=urn:amazon:webservices&origin=%2fadfs%2fls%2fIdpInitiatedSignOn.aspx&username=user-name%40domain.name&ex=1

specify credentials file

Currently credentials are searched for under the environment variables HOME or USERPROFILE, which suits most cases but testing or running from non-standard systems require more choice

maybe --credentialfile <path> and or AWSSTS_CREDENTIALS

option to specify multiple files for scenario of ubuntu bash on windows to update bash and windows file at the same time

Silent install

Would be great to have the ability of obtaining the credentials (printing out the stdout?) without the need for prompts in selecting a role. Would be ideal in CI/CD situations where information is required dynamically

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.