Exploring the aws-google-auth Command-line Tool (with examples)
Introduction
The aws-google-auth command-line tool allows users to acquire temporary AWS credentials, known as Security Token Service (STS) credentials, using Google Apps as a federated Single Sign-On (SSO) provider. This article will provide code examples for 8 different use cases of the aws-google-auth command, along with their motivations, explanations for each argument, and example outputs.
Use Case 1: Log in with Google SSO and set credentials duration
Code:
aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600
Motivation:
This use case is helpful when you want to log in to AWS using Google SSO and specify the duration for which the generated AWS temporary credentials are valid. Setting the duration to one hour (3600 seconds) provides a balance between security and convenience.
Explanation:
-u example@example.com
: Specifies the email address associated with the Google account used for authentication.-I $GOOGLE_IDP_ID
: Sets the Identity Provider (IDP) identifier, which represents Google Apps as the SSO provider.-S $GOOGLE_SP_ID
: Sets the Service Provider (SP) identifier, which represents your AWS account as the entity requesting authentication.-d 3600
: Specifies the duration in seconds for which the AWS temporary credentials will be valid.
Example Output:
Successful authentication and receipt of STS credentials for the specified duration.
Use Case 2: Prompting for the SAML role to use
Code:
aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600 -a
Motivation:
When there are multiple SAML roles available for the user, prompting for the role selection ensures the user can choose the appropriate role based on their needs and permissions.
Explanation:
-a
: Enables the prompt that asks the user to choose from the available SAML roles.
Example Output:
The tool lists the available SAML roles for the user to select from, and upon selection, the user is authenticated and STS credentials are generated for the specified duration.
Use Case 3: Resolving aliases for AWS accounts
Code:
aws-google-auth -u example@example.com -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -d 3600 -a --resolve-aliases
Motivation:
Resolving AWS account aliases can be useful when the AWS accounts use aliases instead of their actual account IDs. By enabling the --resolve-aliases
flag, the tool will automatically map the account aliases to their respective AWS account IDs during the authentication process.
Explanation:
--resolve-aliases
: Instructs the tool to resolve AWS account aliases to their corresponding AWS account IDs.
Example Output:
The tool resolves the AWS account aliases and displays the associated account IDs. Successful authentication and STS credentials are generated for the specified duration.
Use Case 4: Viewing help information
Code:
aws-google-auth -h
Motivation:
When using a new tool or unfamiliar command, it is essential to access the help information to understand the available options, arguments, and their functionalities.
Explanation:
-h
: Displays the help information for the aws-google-auth command.
Example Output:
The tool provides a detailed overview of the available options, arguments, and their usages.