aws的saml联邦api访问
awssamlpy2的Python项目详细描述
作为aws治理的一部分,为了增强帐户和iam用户的安全性,建议对aws资源使用联邦api访问,而不是在配置文件中硬编码iam acessid和secretkeys。
#步骤:
如果这是首次安装此python包,请使用以下命令:
For Python2.x version, pip install awssamlpy2 For Python3.x version, pip install awssamlpy3
要将此python包升级到最新版本,请使用以下命令:
For Python2.x version, pip install awssamlpy2 –upgrade For Python3.x version, pip install awssamlpy3 –upgrade
在用户主目录下创建一个“awssaml.properties”(~/awssaml.properties)文件,如下所示-
[UserProp] aws-region=us-east-1 aws-outputformat=json idpurl=https://<Your Company AWS SAML Domain>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
请参阅mesh doc-111675了解idpURL
在~/.aws目录下创建一个“configure”文件,而不提供访问和密钥的值。如果还没有,不要担心;如果这个文件不存在,包将自动创建一个。您可以根据需要选择输出和区域字段。
[default] output = json region = us-east-1 aws_access_key_id = aws_secret_access_key =
我们已注意包装所需的模块。但是,如果需要任何其他软件包,请根据遇到的如下错误安装缺少的模块:
- On Linux, pip install <module>
Eg: pip install requests
- On Windows, easy_install <module>
Eg: easy_install requests
每当您需要saml访问您的aws服务时,只要命令:
aws-saml
执行以下操作:
Verifies your ~/.aws/configure file to set the approriate region; OR creates one if its not present
- Prompts the user for AD username/password and does SAML auth with our ADFS
- NOTE: Username has to be in the format <domain><networkID>
- Based on SAML response, prompts the user to choose the roles available on AWS for that user
- Then, stores the temporarily created credentials (using Amazon STS service) for the user in the ~/.aws/credentials file along with STS token
- Use API calls to work on AWS resources
- Sample API call used in the script is for listing the S3 buckets, which is in Boto2.x format