aws-cli-auth

Go Report Card Bugs Technical Debt Reliability Rating Vulnerabilities Coverage

AWS CLI AUTH

CLI tool for retrieving AWS temporary credentials using a variety of methods.

Supports:

This tool deals with IdP logins via SAML, both into an AWS account directly or via AWS SSO Portal


NOTE: aws cli now supports a login via a session into a single AWS portal, it works in a similar fashion except this tool does not store the refreshToken on the device and is meant to be used with credential_process


If you have an OIDC IdP provider set up to AWS you can use this aws-cli-oidc and likewise this saml2aws for standard SAML only AWS integrations - standard meaning that your IdP has a standard and flow and a supports programatic MFA submission.

If, however, you need to support a non standard user journeys enforced by your IdP i.e. a sub company selection within your organization login portal, or a selection screen for different MFA providers - PingID or RSA HardToken etc…. you cannot reliably automate the flow or it would have to be too specific.

As such this approach uses go-rod library to uniformly allow the user to complete any and all auth steps and selections in a managed browser session up to the point of where the SAMLResponse is to be sent to AWS ACS service https://signin.aws.amazon.com/saml.

Capturing this via hijack request and posting to AWS STS service to exchange this for the temporary credentials.

The advantage of using SAML is that real users can gain access to the AWS Console UI or programatically and audited as the same person in cloudtrail.

By default the tool creates the session name - which can be audited including the persons username from the localhost.

Installation

Usage

Known Issues

Contribute

Contributions to the aws-auth-cli package are most welcome from engineers of all backgrounds and skill levels.

In particular the addition of extra test coverage, code enhacements.

This project will adhere to the Go Community Code of Conduct in the github provided discussion spaces.

To make a contribution:

Acknowledgements

Inspired by/Borrowed the design for secretStore from these 2 packages: