saml2aws

package module

v1.0.0 Latest Latest Go to latest Published: Sep 11, 2016 License: MIT Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/duckfez/saml2splunk

README ¶

saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using SAML with ADFS 3.x.

The process goes something like this:

Prompt user for credentials
Authenticate to ADFS using formbased auth
Build a SAML assertion containing AWS roles
Exchange the role and SAML assertion with AWS STS service to get a temporary set of credentials
Save these creds to an aws profile named "saml"

Requirements

ADFS 3.x
AWS SAML Provider configured

Usage

usage: saml2aws [<flags>] <hostname>

Flags:
      --help        Show context-sensitive help (also try --help-long and --help-man).
  -s, --skipVerify  Skip verification of server certificate.
  -p, --saml-profile-name="saml"
                    The AWS profile to save the temporary credentials
      --version     Show application version.

Args:
  <hostname>  Hostname of the ADFS service

Setup

Install the AWS CLI see https://docs.aws.amazon.com/cli/latest/userguide/installing.html, in our case we are using homebrew on OSX.

brew install awscli

Configure an empty default profile with your region of choice.

$ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-west-2
Default output format [None]:

Then your ready to use saml2aws.

Example

$ saml2aws id.example.com --skipVerify
ADFS https://id.example.com
Enter Username: wolfeidau@example.com
Enter Password:
Authenticating to ADFS...
Please choose the role you would like to assume:
[ 0 ]:  arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSBuild
[ 1 ]:  arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd
Selection: 1
selected role: arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2016-09-10 23:01:50 +1000 AEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).

License

Documentation ¶

Index ¶

Variables
func ExtractAwsRoles(data []byte) ([]string, error)
type ADFSClient
- func NewADFSClient(endpointURL string, skipVerify bool) (*ADFSClient, error)
- func (ac *ADFSClient) Authenticate(creds *LoginCreds) (string, error)
type AWSRole
- func PromptForAWSRoleSelection(roles []string) (*AWSRole, error)
type CredentialsProvider
- func NewSharedCredentials(profile string) *CredentialsProvider
- func (p *CredentialsProvider) Exists() error
- func (p *CredentialsProvider) Save(id, secret, token string) error
type ErrMissingElement
- func (e ErrMissingElement) Error() string
type LoginCreds
- func PromptForLoginCreds() (*LoginCreds, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrCredentialsHomeNotFound returned when a user home directory can't be located.
	ErrCredentialsHomeNotFound = errors.New("user home directory not found")

	// ErrCredentialsFileNotFound returned when the required aws credentials file doesn't exist.
	ErrCredentialsFileNotFound = errors.New("aws credentials file not found")
)

View Source

var (
	ErrMissingAssertion = ErrMissingElement{Tag: assertionTag}
)

ErrMissingAssertion indicates that an appropriate assertion element could not be found in the SAML Response

Functions ¶

func ExtractAwsRoles ¶

func ExtractAwsRoles(data []byte) ([]string, error)

Types ¶

type ADFSClient ¶

type ADFSClient struct {
	// contains filtered or unexported fields
}

ADFSClient wrapper around ADFS enabling authentication and retrieval of assertions

func NewADFSClient ¶

func NewADFSClient(endpointURL string, skipVerify bool) (*ADFSClient, error)

NewADFSClient create a new ADFS client

func (*ADFSClient) Authenticate ¶

func (ac *ADFSClient) Authenticate(creds *LoginCreds) (string, error)

Authenticate authenticate to ADFS and return the data from the body of the SAML assertion.

type AWSRole ¶

type AWSRole struct {
	RoleARN      string
	PrincipalARN string
}

AWSRole aws role attributes

func PromptForAWSRoleSelection ¶

func PromptForAWSRoleSelection(roles []string) (*AWSRole, error)

PromptForAWSRoleSelection present a list of roles to the user for selection

type CredentialsProvider ¶

type CredentialsProvider struct {
	Filename string
	Profile  string
}

CredentialsProvider loads aws credentials file

func NewSharedCredentials ¶

func NewSharedCredentials(profile string) *CredentialsProvider

NewSharedCredentials helper to create the credentials provider

func (*CredentialsProvider) Exists ¶

func (p *CredentialsProvider) Exists() error

Exists verify that the credentials file exists

func (*CredentialsProvider) Save ¶

func (p *CredentialsProvider) Save(id, secret, token string) error

Save persist the credentials

type ErrMissingElement ¶

type ErrMissingElement struct {
	Tag, Attribute string
}

ErrMissingElement is the error type that indicates an element and/or attribute is missing. It provides a structured error that can be more appropriately acted upon.

func (ErrMissingElement) Error ¶

func (e ErrMissingElement) Error() string

type LoginCreds ¶

type LoginCreds struct {
	Username string
	Password string
}

LoginCreds credentials used to authenticate to ADFS

func PromptForLoginCreds ¶

func PromptForLoginCreds() (*LoginCreds, error)

PromptForLoginCreds prompt the user to present their username and password

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
saml2aws

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL