Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to login to google using the browser #225

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

mcfedr
Copy link

@mcfedr mcfedr commented Mar 3, 2021

This adds the possibility to not login to google on the cli, but instead go to the users browser and use his google session, and have it passed back to the cli.

It works by setting up a GSuite SAML app that doesnt send the user direct to aws, but instead to a server that is in the python app, this can then capture the SAML and use it to access AWS.

@ghost
Copy link

ghost commented Sep 21, 2021

Hi 👋
Do you know if there is a blocker that prevents merging this feature to the repository ?

@mcfedr
Copy link
Author

mcfedr commented Sep 21, 2021

@ph-kpichou since making this MR, I've actually reworked the project into something quite different from the original, that only uses browser based login, if you are interested its now the main branch at https://github.com/ekreative/aws-saml-auth

@ghost
Copy link

ghost commented Sep 21, 2021

Thanks @mcfedr, I'll probably give it a try :)

@mcfedr
Copy link
Author

mcfedr commented Sep 22, 2021

I'd be interested to know if someone else can make it work

@ghost
Copy link

ghost commented Sep 22, 2021

Actually, I'm not. I tried a bit this morning but with no success.
I run this command

aws-saml-auth --credential-process -L https://accounts.google.com/o/saml2/initsso\?idpid\=MYIDP\&spid\=MYSP\&forceauthn\=false -R eu-west-1 -r arn:aws:iam::AWSACCOUNT:role/administrator -A AWSACCOUNT

A browser tab opened, I can cannot to my Google account, then I can choose the account/role I want to use on AWS, and get logged to the console. This is the exact same process for me as when I want to log-in to the console using SAML. But on the CLI, nothing else happen. I just have the WARNING:root:Opening url BLAH message, and it hangs.

I guess I'm doing it correctly, but I don't know what is not working.
Few things that might be an issue I thought about :

  • I am connected to multiple Google accounts on my browser (but only one use SAML). So when I open the SAML link Google ask me to choose an account, maybe it's different on your side
  • I have multiple AWS accounts and multiple roles on those accounts. So after the Google login, I'm redirect to an AWS page that ask me to choose account/role I want to assume in the console

@mcfedr
Copy link
Author

mcfedr commented Sep 22, 2021

To use this version you need to add a new google workspace app - https://github.com/ekreative/aws-saml-auth/blob/main/README.rst#setup-aws-saml-and-google-workspace - this is so that the redirect goes to the cli http listener instead of that AWS choose account page.

@ghost
Copy link

ghost commented Sep 22, 2021

Oh sure, sorry I didn't read well. I'll try and tell you if it works :) Thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant