-
Notifications
You must be signed in to change notification settings - Fork 26
/
customer_idp_broker.py
73 lines (64 loc) · 3.12 KB
/
customer_idp_broker.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
import urllib
import json
import sys
import requests # 'pip install requests'
import boto3 # AWS SDK for Python (Boto3) 'pip install boto3'
# Step 1: Authenticate user in your own identity system.
# Step 2: Using the access keys for an IAM user in your AWS account,
# call "AssumeRole" to get temporary access keys for the federated user
# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
# and secret access key of an IAM user or using existing temporary credentials.
# The credentials can be in EC2 instance metadata, in environment variables,
# or in a configuration file, and will be discovered automatically by the
# client('sts') function. For more information, see the Python SDK docs:
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#STS.Client.assume_role
# Use the service role with STS permission, you should configure the profile which name as sts_user
# sts_user with permission to call sts service
session = boto3.Session(profile_name='sts_user',
region_name='cn-north-1')
sts_connection = session.client('sts')
print(sts_connection._endpoint)
# Step 2.1 Sessin Revoke
# Step 2.2 Assume Role
assumed_role_object = sts_connection.assume_role(
RoleArn="arn:aws-cn:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/SSO-ROLE-NAME",
RoleSessionName="[email protected]",
)
# Step 3: Format resulting temporary credentials into JSON
url_credentials = {}
url_credentials['sessionId'] = assumed_role_object.get(
'Credentials').get('AccessKeyId')
url_credentials['sessionKey'] = assumed_role_object.get(
'Credentials').get('SecretAccessKey')
url_credentials['sessionToken'] = assumed_role_object.get(
'Credentials').get('SessionToken')
json_string_with_temp_credentials = json.dumps(url_credentials)
# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
if sys.version_info[0] < 3:
def quote_plus_function(s):
return urllib.quote_plus(s)
else:
def quote_plus_function(s):
return urllib.parse.quote_plus(s)
request_parameters += "&Session=" + \
quote_plus_function(json_string_with_temp_credentials)
request_url = "https://signin.amazonaws.cn/federation" + request_parameters
r = requests.get(request_url)
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.text)
# Step 5: Create URL where users can use the sign-in token to sign in to
# the console. This URL must be used within 15 minutes after the
# sign-in token was issued.
request_parameters = "?Action=login"
request_parameters += "&Issuer=Example.org"
request_parameters += "&Destination=" + \
quote_plus_function("https://console.amazonaws.cn/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.amazonaws.cn/federation" + request_parameters
# Send final URL to stdout
print(request_url)