awsSts

command module
v0.0.0-...-b7c8c1e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2018 License: MIT Imports: 1 Imported by: 0

README

Creating temporary login credentials for AWS CLI with STS

This tool was ported from a python script in the AWS samples s3 bucket [1].

However, it didn't work for me out of the box and used python 3 (by the time it got to me, I got it from a 3rd party) and I only had python 2.7 and I wanted to learn more go.

For when I can't remember, STS stands for Security Token Service

Install (with go tool chain)

go get -u github.com/NearlyUnique/awsSts

Download the Current release for your platform.

Change log

Target Platforms

It works on Windows, I've tested linux (bash on windows) there is no reason it won't work on OSX.

Usage

Common scenario;

  • My STS web login web page is here: https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
  • My other scripts are going to use the default AWS profile
  • Automatically select the role arn:aws:iam::123456789:role/my-role
  • Leave running in a state where I can automatically refresh my token with one key press when it expires in an hour
awsSts logon --url https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --profile default --role arn:aws:iam::123456789:role/my-role

--help for full details, including details of all parameters that can be read from environment.

Roadmap

  1. Override credential file location via flag
  2. Keep running and auto refresh before expiry (optional)
  3. Deal with naming of INPUT tags in the login form, the Python sample did some work in this area, I want to improve the guessing ability and allow the user to define it if we can't guess.
  4. add command to ease iam user creation
  5. add command to rotate iam user secrets
  6. Auto upgrade
  • use runtime.GOOS and _VERISON
  • call GET https://api.github.com/repos/NearlyUnique/awsSts/releases/latest
  {
    "tag_name": "0.7",
      "assets": [
        {
          "name": "awsSts-0.7-linux",
          "browser_download_url": "https://some-url"
        }
      ]
  }`
  • the browser_download_url may give a redirect

How it works

  1. Download the login form, we need the cookies
  2. Fill in the user name and password
  3. Post form back
  4. Parse the response HTML form
  5. Find the SAMLResponse INPUT element
  6. base64 decode it (it's now XML)
  7. Extract the Roles, select one
  8. Call AWS AssumeRoleWithSAML
  9. update the credentials ini file with the result

References

[1] https://s3.amazonaws.com/awsiammedia/public/sample/SAMLAPICLIADFS/samlapi_formauth_adfs3.py

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.