Authentication for a custom AWS console - amazon-web-services

We’d like to build a custom AWS console for our company, geared to our company and needs - we already have the correct rules and permissions assigned to everyone, this is only a question of authentication. I’m not able to find a Login with AWS option - what’s the best way to use the existing login system and use those credentials With the JS SDK to make our own web console?
OAuth is the most common way to do this, but I can’t find it for AWS - GitHub, for instance has this https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/ which lets us build a custom Github dashboard.

Related

Browser authentication for AWS SDK for JavaScript using IAM credentials

I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.

Using AWS Cognito for desktop authentication

After quite a battle I have written a testing desktop app that allows a user to authenticate with AWS Cognito. I can allow AWS to handle the authentication, password storage, etc. This solves some issues - why reinvent the wheel?
Now my question is I have various resources in the app that needs granular permissions for. How would I use Cognito to control access to non AWS resources in my app?
I would recommend using a custom attribute since you mentioned non-AWS services. Creating an attribute named customer:role with the value of ROLE_USER, ROLE_ADMIN and so on.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes
Once they are authenticated in the app you can control their permissions from decoding the custom attribute. This tutorial is more for permissions with AWS services in a SAAS multi-tenant approach. However, I found it extremely useful to learn from.
https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf

Creating a new project in Google Cloud using python without service account credentials

I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations

Automating third party access to AWS Resources

I'm currently creating an open source web interface for a very CPU intensive task that's making use of other open source projects. Because it is very simple and I want to keep it open source, I don't want to bother with a revenue scheme supporting it. My plan currently is to host the site in an S3 bucket and have some simple lambda functions managing the execution delegation to the client his AWS account.
My question is, is it possible to grant access to somebody his AWS account, similar to how it works with OAuth 2.0. In an ideal world, I'd like them to see a big "authorize" button redirecting them to AWS, listing the permissions and having a confirm or deny button. Trust issues aside, this is the only resource I could find and it looks quite cumbersome for somebody to authorize my app which in essence will only perform computations on their AWS EC2 account.
Actually, cross account access using IAM roles is absolutely the best way to do this. The docs have all the info you would need. It can be very simple for your user. The set up instructions for Spotinst, a third party AWS service provider, demonstrate how simple it can be. They have it in four steps:
Connect Spotinst to your Cloud Provider:
Click on the "Open template in Cloudformation" button and follow the instructions. Make sure to not refresh or leave this page until
you save your credentials.
Paste the Role ARN that was created.
Click on the "Connect account" button.
If you try it out I think you'll find it to be even easier than adding oauth to your service.

API credentials as federated aws user?

my company provides me with a federated access to AWS. By that I mean, we're going to a website where we login with our SSO which then allows us to pull up the AWS console (i.e. through as custom federation broker as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
I can create instances (ec2) just fine through the UI. My question is, how can I get API credentials to use with aws cli?
In the IAM dashboard I don't see an option to create a credential set for myself.
Is this even something I can get to, or do they (=my it people) need to change something in the setup?
Thanks a bunch!
ps. to clarify, this we're not going through onelogin
You can create a program to do this leveraging your credentials, your SSO config, and boto3.
Alternatively, I use this google chrome plugin: https://github.com/prolane/samltoawsstskeys/blob/master/README.md
Atlassian also released a tool recently to help solve this problem, and there are some other ones out there if you do some searching.