Log in to AWS using OpenID Connect

The aim for this is to create a general purpose CLI OIDC login with a limited set of trusted dependencies.

Tested with Azure AD for now. Your mileage may vary with other providers, please let us know!

Prerequisites (Azure AD example)

Create Azure AD App
- Set public client reply url to http://localhost
- Add an appRole (may be unnecessary)
- Add users(s) to the role (to the app)
Create an AWS OIDC identity provider
- Authority URL will be https://login.microsoftonline.com/<AAD tenant id>/oauth2/v2.0
- Add your AAD app client id as audience
Create a web identity role with permissions you'd like
- Edit trust relationship for the role to allow role assumption with tokens issued by AAD for your app
Add parameters under a suitable profile ~/.aws/config:
- Add your application id (client id) from AAD app
- Add your AAD tenant id
- oidc_authority_url=https://login.microsoftonline.com/<AAD tenant id>/oauth2/v2.0
- oidc_client_id=<id of your AAD app>
- oidc_role_arn=<ARN of the role you are assuming on AWS>

It's available on PyPI. Install by running pip install aws-oidc-login.

The executable is called aol. Log in with default profile by simply running aol or specify a profile with aol [profile].

See aol -h for more options.

Name		Name	Last commit message	Last commit date
Latest commit History 37 Commits
login		login
tests		tests
.flake8		.flake8
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
codeship-services.yml		codeship-services.yml
codeship-steps.yml		codeship-steps.yml
dev-requirements.in		dev-requirements.in
dev-requirements.txt		dev-requirements.txt
dist.sh		dist.sh
p27.Dockerfile		p27.Dockerfile
p35.Dockerfile		p35.Dockerfile
p36.Dockerfile		p36.Dockerfile
p37.Dockerfile		p37.Dockerfile
package.sh		package.sh
pytest.ini		pytest.ini
requirements.txt		requirements.txt
setup.cfg		setup.cfg
setup.py		setup.py
test.sh		test.sh
test_jet.sh		test_jet.sh