在使用AWS SSO与第三方SSO帐户时获取CLI凭据的任何方法?

huangapple go评论65阅读模式
英文:

Any way to get CLI credentials when using AWS SSO with a 3rd party SSO account?

问题

对于我们的内部AWS帐户,我们使用aws cliaws sso命令来登录并获取会话凭据。我们还在AWS SSO中配置了一些其他第三方AWS帐户(或者不管这周它被称为什么)。

获取这第三方AWS帐户的CLI凭据而不创建IAM用户有点麻烦。这是否可能?

尝试过:

  • 使用aws sso CLI命令获取第三方帐户凭据
  • 使用AWS CloudShell调用STS以获取会话凭据。这不起作用,因为我们假定要使用角色来进入CloudShell,而您不能使用会话凭据来获取另一个会话凭据。
英文:

For our internal AWS accounts we use the aws cli with the aws sso command to login and get session credentials. We also have a few other 3rd party AWS accounts configured in AWS SSO (or whatever it's been called this week).

Getting cli credentials for this 3rd party AWS account without creating an IAM user is a bit of an issue. Is this possible at all?

Tried:

  • Using aws sso cli commands to get third party account credentials
  • Using AWS CloudShell to call STS to get session credentials. This doesn't work because we're assuming a role to get to CloudShell, and you can't use session credentials to get another session credential.

答案1

得分: 1

  1. 经过大量调查,我发现可以使用aws sts assume-role-with-saml命令来实现这一点。

  2. 首先,您需要使用Web浏览器来捕获来自您的IDP到SP(在这种情况下是AWS控制台)的SAML响应。您可以使用开发者选项卡来执行此操作。记下Base64编码的SAML响应。

  3. 记下您的SAML用户承担的角色ARN以及IDP引用的身份提供者ARN。

  4. 将所有内容组合在命令行中(以下命令适用于PowerShell)

aws sts assume-role-with-saml `
--role-arn # 在此处粘贴角色ARN `
--principal-arn # 在此处粘贴身份提供者ARN `
--saml-assertion # 在此处粘贴您的SAML响应
  1. 从响应中提取访问密钥、秘密访问密钥和令牌。
  2. 要使用这些凭据:
$Env:AWS_ACCESS_KEY_ID="$AccessKeyHere"
$Env:AWS_SECRET_ACCESS_KEY="$SecretAccessKeyHere"
$Env:AWS_SESSION_TOKEN="$SessionTokenHere"

希望对某人有所帮助!

英文:

After a lot of digging, I found it was possible to do this by using the aws sts assume-role-with-saml command.

  1. First, you need to use a web browser to capture the SAML response from your IDP to the SP (AWS console in this case). You can do this with the developer tab. Make a note of the base64 encoded SAML response.

  2. Make a note of the ARN for the role your SAML user assumes, and the identity provider ARN that the IDP references

  3. Put it all together in the command line (Command below is for PowerShell)

aws sts assume-role-with-saml `
--role-arn # Paste the role ARN here `
--principal-arn # Paste the identity provider ARN here `
--saml-assertion # Paste your SAML response here
  1. Extract the access key, secret access key and token from the response
  2. To use the credentials:
$Env:AWS_ACCESS_KEY_ID="$AccessKeyHere"
$Env:AWS_SECRET_ACCESS_KEY="$SecretAccessKeyHere"
$Env:AWS_SESSION_TOKEN="$SessionTokenHere"

Hope that helps someone!

huangapple
  • 本文由 发表于 2023年2月27日 18:39:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/75579401.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定