This is a script to generate and obtain temporary credentials on AWS (access key pair) from a federated login via SAML.
This scripts relies on authenticating in an ADFS Portal (like MS ADFS Services), getting a list of possible IAM Roles to assume and generating temporary credentials that can be passed in an AWS Config File.
Clone this repo
git clone git@github.com:totvscloud-seginf/saml2aws.gitInstall python3 from https://www.python.org/downloads/
Install library dependencies
cd saml2aws
pip install -r requirements.txtRun the script:
cd saml2aws
python saml2aws.pynote: This script works with Python version3. If you already have Python version2 installed, use "python3 saml2aws.py" instead to run the correct runtime.
The script will ask you for 3 inputs:
-
Your ADFS address (only the fqdn or ip address. Exclude https prefix or path). eg: if your ADFS Portal is accessed in https://adfs.company.com/adfs/ldapsign/ your input should be only adfs.company.com
-
Your username. This can be your full email address or your domain followed by your username (eg: DOMAIN\firstname.lastname)
-
Your domain password.
Then the script will list the roles you have access to so you can choose one to be assumed.
After choosing the number of your option, it will present the json with your temporary credentials data.
Copy the access_key, secret_key and session_token in your AWS Credentials file (~/.aws/credentials) with the following format
[default] #or a profile name you want to use
aws_access_key_id = ASIA000000000JYBYK6L
aws_secret_access_key = bSh4H2200000000000009XR/Z2/wEEPcw3NDq5
aws_session_token = FwoGZXIvY000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AEuHocpSIe9pzMwc7G7uml+rMD0fmuqNsvbJJMhIbWiVEtT+hf6ZVx8SaQ+xqRVVskw=
When your ADFS Portal uses a SelfSigned Certificate, the connection will fail due to a security validation. If that's your case and you can't replace the certificate on the ADFS Portal to a trusted one, add the parameter 'verify=False' on the requests call:
On the function login() replace:
session.get(adfs_url)
with
session.get(adfs_url, verify=False)This is a rare and odd case, but it may happen if you have some kind of SSL Inspection solution sniffing your API calls. That usually can be verified on your endpoint protection solution (Antivirus, EDR, etc) or on network tools (IPS, NGFW, CASB, etc). In that case the best solution is to ask your IT Department to exclude the https://sts.amazonaws.com endpoint from the scanning filter categorizing it as a exception. If that's not possible, add the same parameter to ignore validation on the assume_role funtion.
On the function assume_role() replace:
client = boto3.client('sts')
with
client = boto3.client('sts', verify=False)Another really odd case. For some reason that could not be understood the assule_role call may use an invalid endpoint 'https://sts..amazonaws.com'. This double dot (..) is wrong and really can't figure why it happens since this is predefined by the boto3 sdk. If that's the case, forcing the correct endpoint should solve the problem.
On the function assume_role() replace:
client = boto3.client('sts')
with
client = boto3.client('sts', endpoint="https://sts.amazonaws.com")