[v2] Google SSO support?

[brokenthumbs]

Description

Based on https://aws.amazon.com/about-aws/whats-new/2019/11/use-the-aws-cli-v2-preview-with-aws-single-sign-on-to-increase-developer-productivity/:

The preview enables your developers to sign-in to the CLI using credentials you manage in AWS SSO or Microsoft Active Directory.

My company leverages Google SSO to authenticate with AWS. This works fine when accessing AWS using the console. However, when using the command line, we are currently using https://github.com/cevoaustralia/aws-google-auth.

Recently, we have noticed that Google has begun cracking down on bot access to their login page. There are some workarounds, as documented in cevoaustralia/aws-google-auth#160

Are there any plans to enable the AWS CLI v2 to support Google SSO? I noticed another issue, but I am opening this issue to clarify that the AWS CLI v2 SAML does support AWS SSO and Microsoft Active Directory, and I am hoping to open a feature request for Google SSO support.

CLI Command Executed

$ aws2 configure sso
SSO start URL [None]: https://accounts.google.com/o/saml2/initsso?idpid=XXXXXXXXXX
SSO Region [None]: us-east-1

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation: 

AWS CLI Version

aws-cli/2.0.0dev2 Python/3.7.4 Darwin/19.0.0 botocore/2.0.0dev1

[pauldraper]

There are some workarounds, as documented

What exactly are those workarounds? I can't find them in the linked issue.

[brokenthumbs]

@pauldraper

To clarify, there are two solutions.

---

The first solution is for aws-google-auth.

That binary allows users to use Google SSO credentials to retrieve AWS STS credentials from the command line. The problem for aws-google-auth is that the specified binary uses the Python Requests library to make calls to the Google login page, with a special header bgresponse to value of js_disabled. This seems to be flagging the Python Requests calls as "bot-like" and subsequently rejects those calls.

The workaround involves visiting the Google sign-in page, in your browser, while signed out or in incognito mode, and executing document.bg.invoke() in the console. This result can then be used as a value for bgresponse, which will allow the Python Requests call to not be flagged and rejected.

Pull Request here documents the code changes required for updating bgresponse

This solution is inconsistent, and does not always work, as it is dependent on how Google handles their bot detection, interpretation of the bgresponse value, and any internal checks that Google may have against your own account.

---

The second solution is for aws sts.

This binary is more consistent in allowing you to gather AWS STS Credentials in your command line. The workaround for aws sts assume-role-with-saml allows you to use any SAML provider, such as Google, to generate credentials. Blog post from AWS here shows how to get a SAML response from Google, and use it as a value in the command line.

Described in "How to View a SAML Response in Your Browser for Troubleshooting" is a method to get the SAML Post response from a browser session (using Google Chrome Developer Tools or similar), and using that SAML Response as the value for --saml-assertion.

---

I'm hoping that AWS can help facilitate calls to Google, and help us bypass either solution, which both involve using Google Chrome Developer Tools, and manually copying the value into a command line session.

Currently, from what I understand in the documentation, aws2 configure sso only supports Microsoft Active Directory and AWS SSO. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Is there a way that AWS can update aws2 configure sso to support Google SSO?

[pcolmer]

Currently, from what I understand in the documentation, aws2 configure sso only supports Microsoft Active Directory and AWS SSO.

That isn't quite accurate. AWS SSO is, in itself, a service and that service can use one of the following as the identity source:

1. AWS SSO itself
2. Microsoft Active Directory
3. An external SAML 2 identity provider.

I've successfully configured AWS SSO to use Keycloak and aws2 then supports authentication via AWS SSO and Keycloak.

So, it should be possible to set up AWS SSO to use Google as the SAML 2 IdP, set up users and permissions and then use aws2 with that.

[brokenthumbs]

@pcolmer

So, AWS SSO does support using Google as the SAML 2 IdP. However, as I am using Google as my IdP, I would prefer to not have to maintain two sets of users, one in Google and one in AWS SSO.

The solution would be to use SCIM User Provisioning from GSuite to AWS SSO, but Google currently does not allow SCIM as an option for Custom SAML Apps.

For myself, I think I'm either waiting for Google to enable SCIM for Custom SAML Apps (which would allow me to provision users automatically on AWS SSO), or possibly AWS updating aws2 configure sso to support external IdPs directly, without going through AWS SSO first.

• https://twitter.com/brokenthumbs/status/1210272986638495745
• https://www.reddit.com/r/aws/comments/e767l3/aws_sso_and_scim/fa2vk1g/

[pcolmer]

@brokenthumbs yeah, I'm in the same situation with Keycloak - it doesn't support SCIM either (yet). I've resigned to creating users and groups within AWS SSO for now and just using Keycloak for the authentication piece.

I'm hoping that either Keycloak will gain SCIM functionality, or AWS SSO will get extended to read attributes from the SAML blob, or there will be an API to allow me to programmatically set up AWS SSO instead of SCIM.

[brikis98]

I was also able to get AWS SSO working with Google as an IdP, but without automatic user provisioning, it's not of much use. Having to manually create all my Google users in AWS SSO defeats the point of using SSO, right?

[princepathria97]

@brikis98 Facing the same issue.

[ruimarinho]

I've tried this as well but I couldn't figure it out (yet). Maybe I had the wrong expectation in terms of how it would work.

I've ended up building my own tool (called gsts) which is proving to be a reliable alternative so far - at least until Amazon and Google can work together to fix this issue once and for all for all of us :)

[danhitchcock1]

https://dev.to/aws/draft-setting-up-g-suite-aws-sso-and-ssosync-5fbc (references https://github.com/awslabs/ssosync) offers workaround for provisioning from GSuite to AWS SSO, until GSuite implements FastFed Basic SCIM Profile https://openid.net/specs/fastfed-scim-1_0-02.html#rfc.section.4.

[kdaily]

There is a relatively recent blog post regarding support of Google on AWS SSO:

https://aws.amazon.com/blogs/security/how-to-use-g-suite-as-external-identity-provider-aws-sso/

Further requests are out of scope of the AWS CLI and are features of the AWS SSO. You can reach out to the SSO team more directly via the AWS Forums. Thanks!