aws联合用户_AWS STS凭证和Google Apps联合用户

aws联合用户

This write-up outlines methods of working with the AWS Secure Token Service (STS) and Federated user accounts, where Google has been established as the Identity Provider. It is based on a recent experience where AWS programmatic access was only permitted via STS temp credentials.

本文章概述了使用AWS Secure Token Service(STS)和联合用户帐户的方法，其中Google已被建立为身份提供商。 它基于最近的经验，其中仅通过STS临时凭证允许AWS编程访问。

A summary of the scenario and what we aim to achieve are as follows:

方案摘要和我们要实现的目标如下：

• You are a developer working with the aws cli for the purposes of testing your Dev stack.

  您是一位与aws cli一起工作的开发人员，目的是测试您的Dev堆栈。

• Your organisation has enabled SSO via SAML, with Google as the Identity Provider.

  您的组织已通过SAML启用了SSO，并且Google是Identity Provider 。

• Your Google account (eg@myexample.com) has been provisioned for access to AWS.

  您的Google帐户( eg@myexample.com )已配置为可访问AWS。

• Access to AWS resources requires that you authenticate using your Federated user and request temporary credentials using the Secure Token Service (STS). You are advised that the role you need to “assume” to request the credentials is, arn:aws:iam::111222333444:role/saml-init.

  访问AWS资源要求您使用联合用户进行身份验证，并使用安全令牌服务(STS)请求临时凭证。 建议您“承担”请求证书所需的角色是arn:aws:iam::111222333444:role/saml-init 。

• Once you have your STS temp credentials, you will then be permitted to “assume” a secondary development role, which has been provisioned to allow access to AWS resources such as S3 and Elastic Container Registry (ECR). The arn of the secondary role is arn:aws:iam::888777666555:role/assumed-dev

  拥有STS临时凭证后，您将被允许“承担”二次开发角色，该角色已被配置为允许访问AWS资源，例如S3和Elastic Container Registry(ECR)。 辅助角色的ARN是arn:aws:iam::888777666555:role/assumed-dev

联合登录助手(aws-google-auth) (Federated Login Helper (aws-google-auth))

aws-google-auth is an authentication helper Python package, offered by CEVO (Docker also available at git repo). It is invoked via command line using docker and can be used to generate STS credentials using your Federated Google account. The package can also be installed locally to your existing Python environment, or via building the docker.

aws-google-auth是CEVO提供的身份验证帮助Python软件包(Docker也可在git repo上获得)。 它使用docker通过命令行调用，并可用于使用您的联合Google帐户生成STS凭据。 该软件包还可以本地安装到您现有的Python环境中，或通过构建docker安装。

选项1：本地Python安装 (Option 1: Local Python Installation)

If you prefer to use the your local Python installation, then install aws-google-auth via pip:

如果您希望使用本地Python安装，请通过pip安装aws-google-auth ：

$ pip install aws-google-auth

选项2：Docker安装 (Option 2: Docker Installation)

Clone CEVO git repo,

克隆CEVO git repo，

$ git clone https://github.com/cevoaustralia/aw