CLI login to AWS using OpenID Connect
Project description
Log in to AWS using OpenID Connect
The aim for this is to create a general purpose CLI OIDC login with a limited set of trusted dependencies.
Tested with Azure AD. Your mileage may vary with other providers, please let us know!
Setup (Azure AD example)
- Create Azure AD App
- Set public client reply url to
http://localhost
- Add an appRole (may be unnecessary)
- Add users(s) to the role (to the app)
- Set public client reply url to
- Create an AWS OIDC identity provider
- Authority URL will be
https://login.microsoftonline.com/<AAD tenant id>/oauth2/v2.0
- Add your AAD app client id as audience
- Authority URL will be
- Create a web identity role with permissions you'd like
- Edit trust relationship for the role to allow role assumption with tokens issued by AAD for your app
- Add parameters under a suitable profile ~/.aws/config:
- Add your application id (client id) from AAD app
- Add your AAD tenant id
oidc_authority_url=https://login.microsoftonline.com/<AAD tenant id>/oauth2/v2.0
oidc_client_id=<id of your AAD app>
oidc_role_arn=<ARN of the role you are assuming on AWS>
Install aws-oidc-login
Clone this repo and run pip install aws-oidc-login
inside it.
Run
The executable is called aol
. Log in with default profile by simply running aol
or specify a profile with aol [profile]
.
See aol -h
for more options.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aws-oidc-login-0.2.0.tar.gz
(7.4 kB
view hashes)
Built Distribution
Close
Hashes for aws_oidc_login-0.2.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5f63ed3a0fc0745749a78f8b92f3a09427e9a0444f672d4115a77dbf31f99680 |
|
MD5 | 802c04751c68fa8b53b2594c6538e5d9 |
|
BLAKE2b-256 | d1b1e97f06843890f755a7ea581f02e1a274a50ece38603f05c7835e20481cf8 |