The Amazon Web Services API provides the AssumeRoleWithSAML endpoint to allow a user to exchange a SAML assertion for a set of temporary API credentials from the AWS Security Token Service.
A SAML provider, like Okta, will generate a SAML assertion after a user logs into their web UI and Okta authenticates the user on that user's enterprise backend (e.g. enterprise LDAP).
Typically this assertion is then relayed from the users browser onto another web service that accepts SAML assertions, the relying party, in order to authenticate the user to this third party (for example when using Okta federated login to enable a user to log into the AWS web console)
What is the best way to enabled a federated user to authenticate with Okta, get an assertion, pass that assertion to STS and get back a set of temporary AWS API credentials that the user could then use with either the AWS command line tools, or with a local python boto script?
- Launch a web browser from a python tool using the Python webbrowser module?
- What's a fluid way to get an assertion from a web browser into a form usable by a command line tool?
- Create a temporary ngrok tunnel to a locally running temporary webserver (e.g. an instance of flask or bottle) for Okta to redirect the users web browser onto in order to deliver the assertion to some local code?
- How does one typically bridge the world of an interactive web page and local command line tools?
Aucun commentaire:
Enregistrer un commentaire