I'm using okta as my identity provider to get access to my aws accounts. I can get links to log in to the default console page with the different roles which I have set up.
I want to be able to create deep links to specific pages in the aws console. For example a deep link to a cloudwatch dashboard for a specific account and role. Anyone with the appropriate permissions in okta should be able to use this link to go directly to that page.
Is there an integration that provides this out of the box? Any docs that can help me set this up?
I initially thought this would be something super common and easy... All I have found is this blog post with expired links https://aws.amazon.com/blogs/security/how-to-use-saml-to-automatically-direct-federated-users-to-a-specific-aws-management-console-page/
You should be able to put your AWS console URL as urlEncoded_RelayState in the following:
https://{{oktaDomain}}/sso/idps/{{idpId}}?fromURI={{urlEncoded_IDPLoginURL?RelayState={{urlEncoded_RelayState}}}}
https://support.okta.com/help/s/article/SSO-into-SAML-app-with-RelayState-via-OpenID-Connect-Identity-Provider?language=en_US
Related
I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run
For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.
We’d like to build a custom AWS console for our company, geared to our company and needs - we already have the correct rules and permissions assigned to everyone, this is only a question of authentication. I’m not able to find a Login with AWS option - what’s the best way to use the existing login system and use those credentials With the JS SDK to make our own web console?
OAuth is the most common way to do this, but I can’t find it for AWS - GitHub, for instance has this https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/ which lets us build a custom Github dashboard.
I'm looking to a way to generate urls/links to specific resources of a given account in the AWS console website.
For instance I want to link to the summary view of a given user in IAM.
The resource URL is the following:
https://console.aws.amazon.com/iam/home?#/users/user.name
All good, but how do I force the browser to authenticate in the correct AWS account?
As as hypothetical example:
https://account-name.console.aws.amazon.com/iam/home?#/users/user.name
On the other hand, knowing that sending the user to:
https://account-name.signin.aws.amazon.com/console/
Will trigger the login process for the "account-name" account, how can I send the user to a specific part of the AWS console afterwords?
Thanks
Some examples that worked for me, if I use real account number (or account alias) for the S3 and CloudFormation services. I didn't find the official documentation that it works for every service but try it.
https://0123456789.signin.aws.amazon.com/console/s3/?bucket=fake-bucket-0123456789
This redirects me to the S3 bucket named "fake-bucket-0123456789"
https://0123456789.signin.aws.amazon.com/console/cloudformation
This redirects me to Cloudformation
Add iam_user=true&account=<id>& right after ? and before # sign.
e.g.:
https://console.aws.amazon.com/iam/home?iam_user=true&account=111222333444#/users/user.name
I'm a beginner to AWS and a bit confused regarding the AWS Cognito system.
I have an AWS Elasticsearch service behind a VPC. I'm trying to access the Kibana endpoint using AWS Cognito, but when I navigate to the log in screen I see a blank page.
Is what I'm trying to do feasible or do I need to VPN first into the VPC in order to get to the log in screen? If so, how can I grant public users access to Kibana (without the trouble of a VPN?) Would a better solution be to have a reverse proxy point to Kibana and couple this with AWS Cognito? Thanks for your help.
Note: I'm using Elasticsearch 6.2
I had the same output while I was setting up the same setup but don't remember exactly which stage solved it.
At this stage it looks like you already set your access policy to use the Cognito role otherwise you wouldn't end up on the cognito login page (even though blank for now).
I would check the identity provider config on the Cognito User Pool App client settings:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-identity-providers
It wasn't linked to a lack of access (ie. no VPN) or a missing UI customization and it's definitely achievable.
Let me know if you want me to look deeper into it.
EDIT: when i go directly to the domain url of my cognito pool (ie. https://yourdomain.auth.your-region.amazoncognito.com) I still get a blank page. It's only when going to the protected application (kibana) that the login page is filled in (probably linked to the above app client settings).
I created a wiki page in my GitHub Repo because I did this EXACT (Public ESS and Cognito) same thing over the last couple days. You can get the info HERE and I hope it helps clear things up!
my company provides me with a federated access to AWS. By that I mean, we're going to a website where we login with our SSO which then allows us to pull up the AWS console (i.e. through as custom federation broker as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
I can create instances (ec2) just fine through the UI. My question is, how can I get API credentials to use with aws cli?
In the IAM dashboard I don't see an option to create a credential set for myself.
Is this even something I can get to, or do they (=my it people) need to change something in the setup?
Thanks a bunch!
ps. to clarify, this we're not going through onelogin
You can create a program to do this leveraging your credentials, your SSO config, and boto3.
Alternatively, I use this google chrome plugin: https://github.com/prolane/samltoawsstskeys/blob/master/README.md
Atlassian also released a tool recently to help solve this problem, and there are some other ones out there if you do some searching.