I was wondering if I could use AWS organisation and AWS SSO to provide access to AWS services to someone without an AWS account.
Is it possible using the above mentioned services or some other way?
AWS SSO could be used which would utilise the credentials of whatever Identity Provider you can connect to SSO i.e. OKTA/Active Directory etc.
With that setup an AWS account would not be provided as their access would be assumed through a permission set/role you create, and they can consume AWS services
https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html
Related
I'm working with developers who have recently moved over to Google Workspace for business communications. They are relying on Jenkins for build automation. They also have team-limited AWS console access, access to CloudWatch logs and SSH access to some EC2 development hosts running docker containers. We are considering using the Google account for federated sign-on to Jenkins and to AWS SSM Systems Manager, which will replace the SSH host access. Access will be restricted by team, so some form of group-management is important.
For the Jenkins access, I have followed this document to use Google federation and Amazon Cognito: https://www.tech-notes.net/jenkins-login-with-cognito-in-aws/
The groups can be added into AWS Cognito groups within the userpool and mapped into Jenkins oic-auth plug-in as "cognito:groups".
For the SSM Session Manager access, we could use identity federation for a Google login into the AWS account ... and then user IAM groups and IAM policies. However, we would already require groups management within the Cognito userpool (i.e. double the admin). So could either userpools provide the SSM access permissions? Or could the users present in IAM somehow be present for Cognito too?
We would also consider the alternative solution of not using Google federation if the AWS IAM user accounts could be mapped to log into Jenkins using AWS credentials ... but I can't see how this would work.
Many thanks.
We can leverage AWS services from within AWS infrastructure using the ACCESS_ID/ACCESS_SECRET or by assigning the IAM role.
What if I want to access the services from an instance outside of AWS. ex. DigitalOcean. I know that using the ACCESS_Key is not a good option. What is the recommended practice as an alternative to assigning the roles to EC2 instances
API calls to AWS go to public endpoints on the Internet. Therefore, they are accessible from anywhere on the Internet, not just within AWS.
Therefore, you should use the same method for connecting to AWS both inside AWS and outside AWS.
Using the Access Key and Secret Key as credentials is the correct method.
To assume an IAM Role, you must have an initial set of AWS credentials, so that AWS can confirm that you are entitled to assume the role. For example, an IAM User can provide their credentials to assume an IAM Role.
You can also assign an IAM Role to an Amazon EC2 instance. In this situation, the AWS service will automatically assume the role on behalf of the instance, and will provide the resulting credentials through the EC2 instance metadata service.
If you are using your own computer (not an Amazon EC2 instance), it is not possible to assign an IAM Role. Instead, use an Access Key + Secret Key. They should be stored in your ~/.aws/credentials file via the AWS CLI aws configure command. Never put actual credentials in your code files, since this can be a security risk (eg having credentials stored in GitHub).
AWS announced a new feature AWS IAM Anywhere that should help if you need to avoid using access/secret keys.
AWS Identity and Access Management (IAM) now enables workloads that
run outside of AWS to access AWS resources using IAM Roles Anywhere.
IAM Roles Anywhere allows your workloads such as servers, containers,
and applications to use X.509 digital certificates to obtain temporary
AWS credentials and use the same IAM roles and policies that you have
configured for your AWS workloads to access AWS resources.
and more here:
create a trust anchor where you either reference your AWS
Certificate Manager Private Certificate Authority (ACM Private CA) or
register your own certificate authorities (CAs) with IAM Roles
Anywhere. By adding one or more roles to a profile and enabling IAM
Roles Anywhere to assume these roles, your applications can now use
the client certificate issued by your CAs to make secure requests to
AWS and get temporary credentials to access the AWS environment.
AWS Announcement: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
User Guide:
https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html
My goal is to use Okta SSO integrated with AWS SSO to integrate all user Sign-in and permission management for AWS resources from the Okta, using accounts configured on Okta.
I also want it so that each user on Okta has their own Amazon Workspace Windows instance using their Okta credentials.
I currently have a Simple AD (Directory Service) configured on the AWS account, exclusively for Amazon Workspaces access.
Is this a possible goal that can be achieved using OKta, AWS SSO and Directory Service? After going through each of their documentations I am still not clear if these services have the capability to integrate this way.
Any Advice would be appreciated.
There are two topics in this question.
AWS SSO:
There is a standard integration in the AWS Documentation.
https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html
AWS WorkSpaces:
You mentioned that you use currently SimpleAD, in case you want to switch the IdP for your WorkSpaces you should be aware that you need to re-provision the WorkSpaces. I've not as much experience with OKTA, but I think there are two options.
In case you've already a Active Directory you should be able to integrate it with WorkSpaces (AD Connector or AWS Managed AD with forest trust)
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
In case there is no pre-existing AD, you should be able to sync the users with a AWS Managed AD.
https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-integrate-existing.htm
OKTA MFA integration for WorkSpaces:
https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-okta-mfa-with-amazon-workspaces/
How to setup multi-account(project) in GCP, it is possible in AWS by using assume-role, anyone knows how to do it in Google Cloud (GCP)?
I tried to explore AWS equivalent in GCP, but not able to find any document.
As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.
The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).
Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.
To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.
The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.
Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.
The basic answer is "Service Roles". Limited-time service roles are available.
For assigning permissions across projects (but still in the same organization), you can create a custom role.
For letting any user assume the role of a service account, use the Service Account user role.
For limited-time authorization tokens, you have OAuth 2.0 for server-to-server calls, particularly with JWT where available.
Is there a way to interact with the AWS SSO service using the AWS-SDK?
https://aws.amazon.com/single-sign-on/
I am just looking for programmatic access to AWS SSO - with the AWS CLI or with the SDK or anything really.
Unfortunately there isn't. There is however an open issue on the AWS CLI for this - go there and upvote, that's probably the only way to make this happen.
https://github.com/aws/aws-cli/issues/3447
4/21/2021: Take a look at the AWS SSO documentation. There is now an API to manage permission sets and assigning them to users: https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html
Here's the blog on this feature that supports this API:
https://aws.amazon.com/blogs/security/use-new-account-assignment-apis-for-aws-sso-to-automate-multi-account-access/:
"AWS SSO recently added new account assignment APIs and AWS CloudFormation support to automate access assignment across AWS Organizations accounts. This release addressed feedback from our customers with multi-account environments who wanted to adopt AWS SSO, but faced challenges related to managing AWS account permissions. To automate the previously manual process and save your administration time, you can now use the new AWS SSO account assignment APIs, or AWS CloudFormation templates, to programmatically manage AWS account permission sets in multi-account environments.
With AWS SSO account assignment APIs, you can now build your automation that will assign access for your users and groups to AWS accounts. You can also gain insights into who has access to which permission sets in which accounts across your entire AWS Organizations structure."
I would like to share this tool that I did using docker. https://hub.docker.com/r/javiortizmol/aws_sso_magic
The image contains:
aws cli v2.
Python 3.9.
aws-sso-magic
Or just install it from pypi.org https://pypi.org/project/aws-sso-magic/