I have been trying to setup AWS Quicksight SSO with Keycloak version 10.0.2. I have been following these three blogs and articles
https://docs.aws.amazon.com/quicksight/latest/user/external-identity-providers-setting-up-saml.html
https://scandiweb.com/blog/sign-in-to-amazon-aws-using-saml-protocol-and-keycloak-as-identity-provider#:~:text=Amazon%20AWS%20Service%20Provider%20setup&text=2)%20Go%20to%20%E2%80%9CIAM%E2%80%9D,%E2%80%9D%20and%20then%20%E2%80%9CCreate%E2%80%9D.
and this
https://www.wolfe.id.au/2017/11/05/aws-user-federation-with-keycloak/
I am stuck at the step of creating AWS roles and mappers in Keycloak client settings:
kcadm.sh create clients/6c684579-51a1-4bdf-a694-d641199874d8/roles -r wolfeidau -s 'name=arn:aws:iam::981394234017:role/wolfeidau-admin,arn:aws:iam::981394234017:saml-provider/docker-keycloak'
null [Character ':' not allowed.]
How do I create a way to create AWS roles and mapper in Keycloak Client settings?
Following this blog, I've faced same issue.
But I've found another one workaround that looks much better for me.
Solution is to create "Hardcoded attribute" instead of "Role list" param along with a role creation. So, I use below params:
Protocol = saml
Name = Session Role
Mapper Type = Hardcoded attribute
Friendly Name = Session Role
SAML Attribute Name = https://aws.amazon.com/SAML/Attributes/Role
SAML Attribute NameFormat = Basic
Attribute value = arn:aws:I am::<aws account number>:role/<role-for-sso>,arn:aws:I am::<aws account number>:saml-provider/<saml-provider-name>
Looks like a recent Keycloak change. I have existing roles with a colon in the name, but the latest version won't let me create a new role with the colon in the name.
Work around I applied:
Create the role name without a colon. I chose the format aws-accountNumber-RoleName.
Add a Role Name Mapper in your AWS client. Keycloak will accept a colon in the "New Role Name" field.
Related
I am trying to work with the new Instance Metadata Service Version 2 (IMDSv2) API.
It works as expected when I try to query the metadata manually as described on Retrieve instance metadata - Amazon Elastic Compute Cloud.
However, if I try to query for the instance tags it fails with error message:
Couldn't find AWS credentials in environment, credentials file, or IAM role
The tags query is done by the Rusoto SDK that I am using, that works when I set --http-tokens optional as described on Configure the instance metadata options - Amazon Elastic Compute Cloud.
I don't fully understand why setting the machine to work with IMDSv2 would effect the DescribeTags request, as I believe it's not using the same API - so I am guessing that's a side effect.
If I try and do a manual query using curl (instead of using the SDK):
https://ec2.amazonaws.com/?Action=DescribeTags&Filter.1.Name=resource-id&Filter.1.Value.1=ami-1a2b3c4d
I get:
The action DescribeTags is not valid for this web service
Thanks :)
The library that I was using (Rusoto SDK 0.47.0) doesn't support fetching the credentials needed when the host is set to work with the IMDSv2.
The workaround was to manually query for the IAM role credentials.
First, you get the token:
GET /latest/api/token
Next, use the token header "X-aws-ec2-metadata-token" with the value from the previous:
GET /meta-data/iam/security-credentials
Afterwards, use the result from the previous query (and don't forget to set the token header), and query:
GET /meta-data/iam/security-credentials/<query 2 result>
This will provide with the following data:
struct SecurityCredentials {
#[serde(rename = "AccessKeyId")]
access_key_id: String,
#[serde(rename = "SecretAccessKey")]
secret_access_key: String,
#[serde(rename = "Token")]
token: String,
}
Then what I needed to do was to build a custom credentials provider using that data (but this part is already lib specific).
Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
I would like to setup a custom domain for Cognito.( it's on App Integration -> Domain Name). I am trying to follo this: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html#cognito-user-pools-add-custom-domain-adding, but I am little bit confused on step 3.
On step 3: To set up a custom domain name or to update its
certificate, you must have permission to update Amazon CloudFront
distributions. You can do so by attaching the following IAM policy
statement to an IAM user, group, or role in your AWS account:
I need to "attach" a permission for Cognito to create a Cloud Front Distribuition, but the documentation didn't say how to do it.
I have created a role with trust relantionship for cognito id... But it's still not able to create cloud front...And no error message...
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser
I am not able to get verification codes(sms) and mobile app. i deleted the role. i tried recreating the role in cognito but it doesn't give any option to do so.
Error response while i create new user :
"Role does not have trust relationship allowing cognito to assume the role"
On saving the verification settings on my cognito (with the previous role arn stuck in there) it say "Your roles are still being created"
Error while saving verification changes
I too faced the same issue. Let me share the method in which i solved it, Although not the optimal method, i think, but i hope it helps:
1) I had another cognito userpool, in which i hadn't created the sms role and under that userpool i created the SMS role with same name as the name of the SMS role i deleted(Just to let aws create the roles and policy by itself, and because i am lazy ;-)).
2) Under the newly created SMS Role's trust relationship condition, i substituted the externalID with my main userpool's externalID.
You can get the externalID using aws cli.
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id>
Or you can create SMS service role with the same name and attach SNS write policy with it and create trust relationship with your cognito userpool, to let it assume the role.
Hope it helps. Cheers.