Skip to content
This repository has been archived by the owner on Jan 15, 2023. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

This is a tool to allow authorized folks to log into an AWS account using credentials from a Google Apps domain.

How It Works

  • Your users navigate to this service.
  • We redirect them through the Google login process.
  • We check their group membership in the Google directory service to determine which access policy to apply.
  • We generate credentials using the AWS Token service and the GetFederationToken API.
  • We build a URL to the AWS console that contains their temporary credentials and redirect them there. Alternatively we pass their temporary credentials to them directly for use with the AWS API.

Example requests:

  • eventually redirects to the root of the console.

  • redirects to the EC2 console view.

  • displays access keys suitable for pasting into a bash-style shell:

      # expires 2015-03-14 01:01:04 +0000 UTC
      export AWS_SESSION_TOKEN="AQoD...i6gF"

    You can also try view=csh and view=fish.


The cloudformation document creates a load balancer that listens from HTTPS connections on TCP/443 and proxies them via HTTP to instances in an autoscaling group of size 1. At boot, the instances run a the awsauthproxy docker image which runs awsauthd.

awsauthd loads its configuration from an S3 bucket that is created by the cloudformation document. The instance profile allows it to access only this bucket and nothing else.

The configuration specifies a new set of credentials that are used to execute the GetFederationToken() API call. These credentials have a policy applied to them that explicitly disallows reading the configuration bucket. If the configuration bucket were not protected, the user could access the federation secrets, which would allow them to exceed their authorized access.


  1. Get a Google OAuth Client ID and Secret. This is used by the web application to authorize your users.

    • Navigate to
    • Click "Create Project"
    • Navigate to "APIs & Auth" and then "Credentials"
    • Click "Create Client ID"
    • Select "Web Application" and set up the consent screen.
    • Under authorized javascript origins, enter the name of your server, i.e.
    • Click "Create client ID".
    • record your client ID and client secret.
  2. Get a Google Service Account. This is used by the application to determine which groups the user is in.

    • Navigate to

    • Navigate to your project

    • Click "Create Client ID"

    • Select "Service Account"

    • Note the email address created.

    • Decrypt the certificate that gets downloaded:

      openssl pkcs12 -in ~/Downloads/My\ Project-afcee0fea02c.p12 -nodes

      Extract the private key part.

  3. Authorize your new google service account. Follow the directions here to authorize your new service account to access the scope

  4. Get an SSL certificate for your domain and upload it to the AWS IAM console. Note the ARN for your new certificate.

     aws iam upload-server-certificate --server-certificate-name \
       --certificate-body file://ssl.crt \
       --private-key file://ssl.key \
       --certificate-chain file://intermediate.crt
  5. Build a configuration file from the filling in all your secrets

  6. Create the cloudformation stack described by cloudformation.template. You can use the provided Makefile, if you you'll need to customize it a little:

     make create

    Note: the Makefile assumes you have the AWS CLI installed.

  7. After a few moments you should be able to upload your config to the S3 data bucket.

     make put-config


  • The Google groups and the AWS policy mappings are currently hard coded.

  • The size of policy document passed to GetFederationToken() is fairly limited. I had to remove stuff from the default ReadOnlyAccess policy to make it fit.

  • We don't currently have a way to restrict access to the service launch configuration, which exposes the root GetFederationToken() credentials. XXX

  • All errors are reported to users in exactly the same way, by returning 400 Bad Request. This has the benefit of preventing any leakage to unauthorized users but is a little unfriendly. After carefully considering the implications, we might want errors that are a little friendlier.

  • TODO: google rotates the key the used to sign the JWT, so we get something like 2015/03/29 17:04:20 failed to parse google id_token: Unknown key in token workaround is to restart.


Amazon AWS login with Google credentials






No releases published


No packages published