Google Chrome Extension, which converts a SAML 2.0 assertion to AWS STS Keys (temporary credentials). Just log in to the AWS Web Management Console using your SAML IDP, and the Chrome Extension will fetch the SAML Assertion from the HTTP request. The SAML Assertion is then used to call the assumeRoleWithSAML API to create the temporary credentials. (AccessKeyId, SecretAccessKey and SessionToken).
This extension can only download those credentials to Chrome's download folder, but if you symlink that file to you .aws/credentials as described below in the Instructions, then everytime you log into AWS in your browser, your AWS CLI keys will be updated.
All credit to original author: https://github.com/prolane/samltoawsstskeys. This was tweaked slightly and repackaged to support AWS GovCloud.
- Add extension from Chrome Extension store
- symlink your aws credentials file to your download locations credentials file
ln -s ~/Downloads/credentials ~/.aws/credentials
- Clone this repository
- Open Chrome and go to
chrome://extensions/ - Enable Developer Mode
- Click on "Load unpacked extension..."
- Select the folder where you cloned this repository
- symlink your aws credentials file to your download locations credentials file
ln -s ~/Downloads/credentials ~/.aws/credentials
- Enjoy!
If your credentials are being downloaded as expected, yet the CLI isn't picking up the credentials the following steps may help:
- List AWS CLI profiles:
aws configure list-profiles - List the current AWS CLI configuration data:
aws configure list- The last 4 characters of
access_keyandsecret_keyshould match youraws_access_key_idandaws_secret_access_keyin the credentials file - If
regionis not set, AWS CLI commands will fail saying An error occurred (InvalidToken) when calling the <> operation: The provided token is malformed or otherwise invalid.
- The last 4 characters of
- Set region for current profile:
aws configure- You can just press
ENTERon the access key and secret key, both should be pre-populated - The defualt region name should show:
[None]. Change this to your default region: us-gov-west-1 - Press
ENTERto leave the default output format as[None]
- You can just press
-
How to check for errors in the extension?
- Go to the options page of the extension
- Set 'Enable DEBUG logs' to 'yes' and hit the 'Save' button below
- Go to the Chrome Extensions page and look for the 'SAML to AWS STS Keys Conversion' extension
- Click on the link where it says 'Inspect views'
- A new Chrome DevTools window should pop up, with the 'Console' tab already selected. This is where you'll be able to view all logs.
- Perform a new login and check the logs to see if there are any errors.
-
Why can I not save the credentials file somewhere else? With security in mind Google has limited the Chrome browser to only read and write to the Chrome Downloads directory. This way none of your Chrome extension will be able to steal data from your computer.
-
How long are the credentials valid? AWS calls this 'session duration'. The default session duration is 1 hour. The maximum session duration is configured in AWS IAM as an attribute of the IAM Role. Your IDP might be configured to pass along an additional SAML claim which requests to apply a custom session duration. This value can be configured to be higher than the default of 1 hour. However, this can never be higher than the configured maximum session duration on the IAM Role as this will result in an error.
-
Create a symlink to your .aws directory TODO