英文:
Any way to get CLI credentials when using AWS SSO with a 3rd party SSO account?
问题
对于我们的内部AWS帐户,我们使用aws cli
与aws sso
命令来登录并获取会话凭据。我们还在AWS SSO中配置了一些其他第三方AWS帐户(或者不管这周它被称为什么)。
获取这第三方AWS帐户的CLI凭据而不创建IAM用户有点麻烦。这是否可能?
尝试过:
- 使用
aws sso
CLI命令获取第三方帐户凭据 - 使用AWS CloudShell调用STS以获取会话凭据。这不起作用,因为我们假定要使用角色来进入CloudShell,而您不能使用会话凭据来获取另一个会话凭据。
英文:
For our internal AWS accounts we use the aws cli with the aws sso
command to login and get session credentials. We also have a few other 3rd party AWS accounts configured in AWS SSO (or whatever it's been called this week).
Getting cli credentials for this 3rd party AWS account without creating an IAM user is a bit of an issue. Is this possible at all?
Tried:
- Using
aws sso
cli commands to get third party account credentials - Using AWS CloudShell to call STS to get session credentials. This doesn't work because we're assuming a role to get to CloudShell, and you can't use session credentials to get another session credential.
答案1
得分: 1
-
经过大量调查,我发现可以使用
aws sts assume-role-with-saml
命令来实现这一点。 -
首先,您需要使用Web浏览器来捕获来自您的IDP到SP(在这种情况下是AWS控制台)的SAML响应。您可以使用开发者选项卡来执行此操作。记下Base64编码的SAML响应。
-
记下您的SAML用户承担的角色ARN以及IDP引用的身份提供者ARN。
-
将所有内容组合在命令行中(以下命令适用于PowerShell)
aws sts assume-role-with-saml `
--role-arn # 在此处粘贴角色ARN `
--principal-arn # 在此处粘贴身份提供者ARN `
--saml-assertion # 在此处粘贴您的SAML响应
- 从响应中提取访问密钥、秘密访问密钥和令牌。
- 要使用这些凭据:
$Env:AWS_ACCESS_KEY_ID="$AccessKeyHere"
$Env:AWS_SECRET_ACCESS_KEY="$SecretAccessKeyHere"
$Env:AWS_SESSION_TOKEN="$SessionTokenHere"
希望对某人有所帮助!
英文:
After a lot of digging, I found it was possible to do this by using the aws sts assume-role-with-saml
command.
-
First, you need to use a web browser to capture the SAML response from your IDP to the SP (AWS console in this case). You can do this with the developer tab. Make a note of the base64 encoded SAML response.
-
Make a note of the ARN for the role your SAML user assumes, and the identity provider ARN that the IDP references
-
Put it all together in the command line (Command below is for PowerShell)
aws sts assume-role-with-saml `
--role-arn # Paste the role ARN here `
--principal-arn # Paste the identity provider ARN here `
--saml-assertion # Paste your SAML response here
- Extract the access key, secret access key and token from the response
- To use the credentials:
$Env:AWS_ACCESS_KEY_ID="$AccessKeyHere"
$Env:AWS_SECRET_ACCESS_KEY="$SecretAccessKeyHere"
$Env:AWS_SESSION_TOKEN="$SessionTokenHere"
Hope that helps someone!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论