“aws-google-auth” is a command-line tool that allows you to acquire temporary AWS (Amazon Web Services) credentials using Google Apps as a federated Single Sign-On (SSO) provider.
Federated SSO enables users to use their existing Google Apps credentials to access AWS resources, eliminating the need to manage separate AWS-specific usernames and passwords. With “aws-google-auth”, you can seamlessly authenticate and obtain AWS temporary credentials using your Google Apps credentials.
Here’s how the process typically works:
- Configuration: You start by configuring the “aws-google-auth” tool with the necessary information, such as your Google Apps domain, client ID, and client secret. This information is obtained from the Google Cloud Console when setting up the SSO integration between Google Apps and AWS.
- Authentication: When you run the “aws-google-auth” command, it initiates the authentication process. You are redirected to the Google Apps login page, where you enter your Google Apps credentials (email and password). This authentication step leverages the SSO integration between Google Apps and AWS.
- Authorization: Once you successfully authenticate with Google Apps, “aws-google-auth” obtains an access token from Google’s OAuth 2.0 service. This access token is then exchanged for temporary AWS credentials using AWS Security Token Service (STS). The AWS credentials include an access key, a secret key, and a session token.
- Temporary Credentials: The obtained AWS temporary credentials are valid for a specified duration, typically an hour. You can use these credentials to authenticate and access AWS services and resources programmatically using the AWS CLI, SDKs, or other AWS tools.
By using “aws-google-auth”, you simplify the process of obtaining AWS temporary credentials by leveraging your existing Google Apps SSO infrastructure. It eliminates the need to manage separate AWS credentials and enhances the security of your AWS resources by leveraging the authentication mechanisms provided by Google Apps.
aws-google-auth Command Examples
1. Log in with Google SSO using the IDP and SP identifiers and set the credentials duration to one hour:
# aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600
2. Log in [a]sking which role to use (in case of several available SAML roles):
# aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600 -a
3. Resolve aliases for AWS accounts:
# aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600 -a --resolve-aliases
4. Show help information:
# aws-google-auth -h