aws联合用户_AWS STS凭证和Google Apps联合用户


This write-up outlines methods of working with the AWS Secure Token Service (STS) and Federated user accounts, where Google has been established as the Identity Provider. It is based on a recent experience where AWS programmatic access was only permitted via STS temp credentials.

本文章概述了使用AWS Secure Token Service(STS)和联合用户帐户的方法,其中Google已被建立为身份提供商。 它基于最近的经验,其中仅通过STS临时凭证允许AWS编程访问。

A summary of the scenario and what we aim to achieve are as follows:


  • You are a developer working with the aws cli for the purposes of testing your Dev stack.

    您是一位与aws cli一起工作的开发人员,目的是测试您的Dev堆栈。

  • Your organisation has enabled SSO via SAML, with Google as the Identity Provider.

    您的组织已通过SAML启用了SSO,并且Google是Identity Provider

  • Your Google account ( has been provisioned for access to AWS.

    您的Google帐户( )已配置为可访问AWS。

  • Access to AWS resources requires that you authenticate using your Federated user and request temporary credentials using the Secure Token Service (STS). You are advised that the role you need to “assume” to request the credentials is, arn:aws:iam::111222333444:role/saml-init.

    访问AWS资源要求您使用联合用户进行身份验证,并使用安全令牌服务(STS)请求临时凭证。 建议您“承担”请求证书所需的角色是arn:aws:iam::111222333444:role/saml-init

  • Once you have your STS temp credentials, you will then be permitted to “assume” a secondary development role, which has been provisioned to allow access to AWS resources such as S3 and Elastic Container Registry (ECR). The arn of the secondary role is arn:aws:iam::888777666555:role/assumed-dev

    拥有STS临时凭证后,您将被允许“承担”二次开发角色,该角色已被配置为允许访问AWS资源,例如S3和Elastic Container Registry(ECR)。 辅助角色的ARNarn:aws:iam::888777666555:role/assumed-dev

联合登录助手(aws-google-auth) (Federated Login Helper (aws-google-auth))

aws-google-auth is an authentication helper Python package, offered by CEVO (Docker also available at git repo). It is invoked via command line using docker and can be used to generate STS credentials using your Federated Google account. The package can also be installed locally to your existing Python environment, or via building the docker.

aws-google-authCEVO提供的身份验证帮助Python软件包(Docker也可在git repo上获得)。 它使用docker通过命令行调用,并可用于使用您的联合Google帐户生成STS凭据。 该软件包还可以本地安装到您现有的Python环境中,或通过构建docker安装。

选项1:本地Python安装 (Option 1: Local Python Installation)

If you prefer to use the your local Python installation, then install aws-google-auth via pip:


$ pip install aws-google-auth

选项2:Docker安装 (Option 2: Docker Installation)

Clone CEVO git repo,

克隆CEVO git repo,

$ git clone \

and build the image using:


$ cd aws-google-auth
$ docker build --rm -t aws-google-auth .

The docker image is used for the examples throughout the article.


查找Google身份和SAML提供者ID(IDPID / SPID) (Locating Google Identity and SAML Provider IDs (IDPID/SPID))

Before being able to use the image, you will need to know the following details:


  • Google Identity Provider ID (idpid)

    Google身份提供商ID( idpid )

  • SAML Service Provider ID assigned by Google (spid)

    由Google分配的SAML服务提供商ID (spid)

Your AWS System admins should provide these details. If they are not provided, then you should be able to find these through the Google App AWS link address details.

您的AWS系统管理员应提供这些详细信息。 如果未提供它们,那么您应该可以通过Google App AWS链接地址详细信息找到它们。

From your web browser, go to Google Apps launcher. Scroll until you see the AWS Google App….hover your mouse over the icon to view the link address details in your browser’s status bar. Alternatively you can right click on the icon and copy/paste the link address into Notepad.

在网络浏览器中,转到Google Apps启动器。 滚动直到看到AWS Google App…。 将鼠标悬停在该图标上可以查看浏览器状态栏中的链接地址详细信息。 或者,您可以右键单击该图标,然后将链接地址复制/粘贴到记事本中。

Make a note of your idpid and spid. They are required as parameter inputs to aws-google-auth.

记下您的idpidspid 。 必须将它们作为aws-google-auth参数输入。

生成STS临时凭证 (Generate STS Temporary Credentials)

The aws-google-auth helper stores/adds authentication data to $HOME/.aws/config and $HOME/.aws/credentials files so it's important that the storage hosting these files is encrypted at rest.


The Docker can be run with a host:container mount $HOME/.aws:/root/.aws. This will allow direct access to files $HOME/.aws/config & $HOME/.aws/credentials. Alternatively, you can setup an alternate host location and have the container generate config/credentials into this location.

Docker可以与host:container mount $HOME/.aws:/root/.aws 。 这将允许直接访问文件$HOME/.aws/config$HOME/.aws/credentials 。 或者,您可以设置备用主机位置,并使容器在该位置生成配置/凭据。

To directly edit your default credentials/config files, then specify the following mount option in your docker command:


  • Linux-based hosts -v $HOME/.aws:/root/.aws

    基于Linux的主机-v $HOME/.aws:/root/.aws

  • Windows host -v c:/Users/<username>/.aws:/root/.aws


运行Docker映像 (Run the Docker Image)

To get a full list of command line options for aws-google-auth, run the docker with -h option.


For the examples in the article, the following options are used,


$ docker run -it aws-google-auth -h
-u USERNAME (Google Apps username)
-I IDPID (Google Identity Provider identifier)
-S SPID (SAML Provider identifier )
-R REGION (AWS region endpoint)
-d DURATION (Credential duration in SECONDS)
-p PROFILE (AWS profile - defaults to value of $AWS_PROFILE)
-r ROLE_ARN (The ARN of the role to assume. If not supplied
,a list roles to choose from will be listed)

with the following sample values,


Using these values, we generate STS temporary credentials as follows:


$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

For MFA with SMS verification enabled, you will be required to enter your Google password and respond with the SMS code.

对于启用了SMS验证的 MFA,您需要输入Google密码并以SMS代码进行回复。

Google Password: *******
Enter SMS token: G-nnnnnn

After authentication is complete, the expiration time for temporary credentials should be displayed


Assuming arn:aws:iam::111222333444:role/saml-init
Credentials Expiration: 2020-07-12 00:41:15+00:00

The AWS profile, sts-temp (-p sts-temp) should now contain the STS temporary credentials.

AWS配置文件sts-temp ( -p sts-temp )现在应包含STS临时凭证。

验证AWS Config和凭证 (Verify AWS Config & Credentials)

The credentials and config files can be checked to ensure profile sts-temp has been updated/generated with valid entries.




[profile sts-temp]
region = us-east-1
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = X7x0Xxxx
google_config.role_arn = arn:aws:iam::111222333444:role/saml-init
google_config.google_sp_id = 000111000111
google_config.u2f_disabled = False
google_config.google_username =
google_config.bg_response = None



aws_access_key_id = exampleAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = exampleBBBBBBBBBBBBBBBBBBBBB
aws_security_token = exampleCCCCCCCCCCCCCCCCCC
aws_session_expiration = exampleDDDDDDDDDDDDDDDDDDDDDD
aws_session_token = exampleEEEEEEEEEEEEEEEEEEEE

刷新AWS STS凭证 (Refreshing AWS STS Credentials)

To refresh/update STS credentials for the same profile is only a matter of running the docker command again, supplying the same profile name (-p sts-temp).

要刷新/更新同一配置文件的STS凭据,只需再次运行docker命令,并提供相同的配置文件名称( -p sts-temp )。

使用STS凭据切换/承担辅助角色 (Switch to/Assume Secondary Role using STS Credentials)

As mentioned earlier on, to perform Dev activities, we need to assume/switch to secondary role arn:aws:iam::888777666555:role/assumed-dev using the STS temporary credentials.


This secondary role has been provisioned with access to an Elastic Container Registry (ECR) and S3. To use the temporary STS credentials with this role, we need to create a new AWS profile, specifying the role_arn.

已为该次要角色提供了对弹性容器注册表(ECR)和S3的访问权限。 要使用具有此角色的临时STS凭证,我们需要创建一个新的AWS配置文件,并指定role_arn

The following examples show the AWS profile being created with name dev-env for our secondary role.




[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev

If you prefer, you can use the aws configure command to setup the new AWS profile.

如果愿意,可以使用aws configure命令来设置新的AWS配置文件。

$ aws configure set us-east-1
$ aws configure set sts-temp
$ aws configure \
set \ arn:aws:iam::888777666555:role/assumed-dev

When the profile above is specified in AWS CLI commands (--profile dev-env), the secondary role (arn:aws:iam::888777666555:role/assumed-dev) is "assumed" with the STS temporary credentials being sourced from section [sts-temp] in $HOME/.aws/credentials.

当在AWS CLI命令( --profile dev-env )中指定了上面的配置文件时,辅助角色( arn:aws:iam::888777666555:role/assumed-dev )被“假定”,并且STS临时凭证来自$HOME/.aws/credentials [sts-temp]部分。

全部放在一起 (Putting it all Together)

The following is a re-cap of the process.


1.使用联合用户进行身份验证并检索STS凭据 (1. Authenticate with Federated User and Retrieve STS Credentials)

  • Authenticate with Federated Google account using aws-google-auth and obtain STS temporary credentials for profile sts-temp.

    使用aws-google-auth使用联合Google帐户进行aws-google-auth并获取配置文件sts-temp STS临时凭据。

$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

2.将新的AWS Profile配置为辅助角色以使用STS (2. Configure New AWS Profile for Secondary Role to use STS)

  • Create new AWS profile for the secondary role


The below shows the setup required for profile dev-env




[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev

or, alternatively, add the profile to $HOME/.aws/config via aws configure.

或者,通过aws configure将配置文件添加到$HOME/.aws/config

$ aws configure set us-east-1
$ aws configure set sts-temp
$ aws configure set \ arn:aws:iam::888777666555:role/assumed-dev

3.开始使用CLI命令 (3. Start Using CLI Commands)

The examples that follow show commands which will transparently “assume” the secondary role arn:aws:iam::888777666555:role/assumed-dev.


  • S3 list bucket subdir/key

$ aws s3 ls s3://mybucket/mydir --profile dev-env
  • ECR get docker registry login, get-login

$ aws ecr get-login --registry-ids xxxxxxxxxxxx --no-include-email --profile dev-env

4.更新/刷新过期的STS凭据 (4. Update/Refresh Expired STS credentials)

Once the STS temporary credentials have expired, re-execute aws-google-auth to refresh,


$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

and continue using the profile for the secondary role.


使用Python和Boto进行编程访问 (Programmatic Access with Python & boto)

The below sample Python code shows the secondary role being “assumed” by specifying profile dev-env. Authentication happens transparently due to the configuration performed earlier on for this profile.

以下示例Python代码通过指定配置文件dev-env展示了“承担”的次要角色。 由于此配置文件先前已执行了配置,因此透明地进行身份验证。

import boto3

session = boto3.Session(profile_name='dev-env')
dev_s3_client = session.client('s3')

for key in dev_s3_client.list_objects(Bucket='mybucket')['Contents']:

最后评论 (Final Comments)

Some of the benefits of enabling Federated logins with temporary credentials are as follow:


  • Removing the user’s account from the linked Identity Provider/Organisation (eg. Google GSuite) ensures the user no longer has access to the AWS account.

    从链接的身份提供商/组织(例如Google GSuite)中删除用户的帐户可确保用户不再有权访问AWS帐户。
  • The use of temporary credentials with a short expiration period (as opposed to issuing non-expiring keys), enforces the concept of key rotation.

  • Managing comprised temporary credentials is likely to be simpler than managing comprised permanent keys.




  • 0
  • 0
  • 0
  • 一键三连
  • 扫一扫,分享海报

评论将由博主筛选后显示,对所有人可见 | 还能输入1000个字符
©️2021 CSDN 皮肤主题: 深蓝海洋 设计师:CSDN官方博客 返回首页
钱包余额 0