Sitting in the cafe and thinking what should I read today, I just decided to contribute to the Developer community with an article that can quickly summarize what AWS Identity Federation is.
Objective:
What we will cover is how to use a Google as Identity Provider for authentication and how to use Google Identity Token to request temporary and limited-privilege credentials from AWS that can be used with AWS CLI
How it works:
- Here we decide to trust Google as our Authentication provider.User will prove its identity by successfully logging in to Google.
- We then capture Identity Token issued by Google to the User after User successfully logs in.
- Use the Identity Token issued in the Step 3 with AWS Security Token Service(STS) to obtain temporary and limited-privilege credentials
- Use the Credentials obtained in Step 4 with AWS Command line interface to interact with AWS Cloud Platform
Here are the CLI Tools we need, please follow the installation instructions as per your development environment.
Let’s rollup our sleeves and follow these steps:
For the steps below, I suggest not to use the AWS root user but create an AWS IAM User with Administrative access and use it instead, Also please protect the root user and IAM Users with MFA enabled.
Initiate Login and Login to Google. Open Terminal and use the command below. This command will open up the browser and ask you to login to Google. If you have already logged in, it will ask to use the account to proceed. Please select the account, It will then prompt you asking permission for gcloud sdk for your Google Account. Please select “Allow”
gcloud auth login
Return to the terminal and it should show you the prompt like below. Verify you logged in with the gmail address of your choice.Its time to get the Identity Token issued by Google. Use the command below on the terminal. The output of the command is the Identity Token issued by Google. Please copy it and never share this.
gcloud auth print-identity-token
3 Please use the command below to decode the Google Identity Token. From the output JSON please save the values of
aud(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)
sub(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2)
We will use these values to scope the AWS Role to the Google User we intent to give the AWS CLI access to.
jq -R 'split(".") | .[1] | @base64d | fromjson' <<< <Google Identity Token>
4 Create Role in AWS. In AWS Console Navigate to IAM -> Role and create a role with Trusted Entity Type of “Web Identity” and Identity Provider set to “Google”
Use the Value of aud in the Audience and value of sub for value of accounts.google.com:sub
This will ensure that the AWS role will only be assumed by intended Google User and no one else.
Click Next
Select the required permission policy. For example if you want this google user to only access(read, write) S3 select AmazonS3FullAccess
Give role a name and description and create the role.
Please note down the Amazon Resource Name(ARN) of the Role once its created. We will use this in the final step when we get AWS Credentials by assuming this role.
5 Assume the role created in Step 4 using the Google Identity Token and obtain AWS temporary, limited-privilege credentials. Please use the command below:
aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::<Your AWS Account Number>:role/<role-name> \
--role-session-name <Session Name> \
--web-identity-token <Google Identity Token>
Temporary Credentials will be in the output JSON and will have 3 major fields: Access Key Id, Secret Access Key and Session Token. Please note the values and use it in the commands below:
export AWS_ACCESS_KEY_ID=<Access Key Id>
export AWS_SECRET_ACCESS_KEY=<Secret Access Key>
export AWS_SESSION_TOKEN=<Session Token>
The returned credentials expire one hour after they are generated and can be set using — duration-seconds flag to the aws sts command
6 Use the AWS Temporary Credentials. You can now use aws cli commands with the above temporary credentials set. The example above has AmazonS3FullAccess policy configured for the role. Please try creating a bucket coping objects and reading objects from the bucket with aws s3 command
Summary:
- You have created AWS Web Identity Role that has a specific permission and this role can only be assumed by a trusted Google User.
- We don’t create any user within AWS IAM, we rather trust an Identity Provider and establish trust relationship with the user(s) on trusted Identity Provider before hand in the form of AWS IAM Role and its trusted entities.
- Once User assumes this role, AWS will issue temporary privilege credentials (Access Key ID, Secret Access Key and Session Token) those can be used with AWS CLI.
- The privilege nature of the credentials is governed by Access Policies attached to the Role which can be changed at anytime to expand / reduce the scope of what this user can / can’t do. We can scope this down to the policy such that User has access to what is minimally need. This is called “Principal of Least Privilege”
- We can revoke/add the trust relationship of users anytime from the Web Identity Role
Top comments (0)