Obtain AWS STS Tokens by authenticating to ADFS via Azure, getting SAML claim from Azure, and passing the claims to AWS STS service.
Who is this tool for?
- Your organization manages AWS role assignments in Azure's AWS application
- You use office.com portal to login to AWS
- You authenticate via ADFS
The tool is a single binary:
- Linux/MAC:
go-get-aws-keys
- Windows:
go-get-aws-keys.exe
Run the following commands:
git clone git@github.com:greenpau/go-get-aws-keys.git
cd go-get-aws-keys
make
make BUILD_OS="darwin"
make BUILD_OS="windows" BUILD_ARCH="amd64"
make BUILD_OS="windows" BUILD_ARCH="386"
The commands build binaries for various operating systems:
$ find bin/ -type f
bin/linux-amd64/go-get-aws-keys
bin/darwin-amd64/go-get-aws-keys
bin/windows-amd64/go-get-aws-keys.exe
bin/windows-386/go-get-aws-keys.exe
The configuration file name is go-get-aws-keys-config.yaml
.
The location of the file depends on the type of an operation
system it is used on (see instructions below).
---
azure:
tenant_id: '9c5399e3-e3e4-49aa-b6c7-e27d618ae206'
application_id: 'f4cd2b32-6d0d-423d-85ce-9acc0318a4fe'
aws:
roles:
- account_id: '000000000001'
role: 'Administrator'
region: 'us-east-1'
profile_name: 'default'
- account_id: '000000000002'
role: 'Administrator'
region: 'us-east-1'
email: 'jsmith@contoso.com'
password: 'My@Password' # nor recommended
The configuration file has azure
section for Azure specific configuration.
Please reach out to Azure AD administrator to provide you with
Azure Tenant ID and the ID for the AWS application in Azure.
The configuration file also has aws
section for defining the
roles that a user want to assume.
After go-get-aws-keys
gets temporary STS credentials it puts them
into .aws/credentials
file. The value of the profile_name
key in
aws
section defines the name of the profile the tool will create or
update:
- If the profile already exists in
.aws/credentials
file, then that specific section will be overwritten. - If the profile name does not exist, then it the profile will be appended to the credentials file.
- If the profile name is not being set in the configuration file, then
the profile name will match the following pattern
ggk-<Account ID>-<Role Name>
This is what you would expect to see when invoking go-get-aws-keys
:
$ go-get-aws-keys
Enter password for jsmith@contoso.com:
INFO[0003] Added default aws credentials profile to /home/jsmith/.aws/credentials
INFO[0003] Added ggk-000000000002-Administrator aws credentials profile to /home/jsmith/.aws/credentials
- Create a configuration file:
~/.aws/go-get-aws-keys-config.yaml
- Place
go-get-aws-keys
in your executable path
- Go to "View Advanced System Settings" in "System Properties"
- Click "Environment Variables"
- Amend "Path" environment variable for your user by adding:
C:\Users\<username>\AppData\Local\Programs\go-get-aws-keys
- Create
C:\Users\<username>\AppData\Local\Programs\go-get-aws-keys
directory - Unpack
go-get-aws-keys.exe
ingo-get-aws-keys-1.0.0.windows-amd64.zip
to the abovego-get-aws-keys
directory - Unpack
go-get-aws-keys-config.yaml
ingo-get-aws-keys-1.0.0.windows-amd64.zip
toC:\Users\<username>\.aws
directory
Alternatively, a user may set up the environment variable in the following way:
setx path "%path%;%userprofile%\AppData\Local\Programs\go-get-aws-keys"