Leaked or stolen AWS access keys are listed as one of the top three incident types for AWS security. Why not disable the use of permanent access keys in an AWS environment from the start? If an environment doesn’t have long life access keys, this security vulnerability is avoided. For this topic, we dive into short lived access keys for AWS using a SAML provider. At the end of the article you will be able to use a single line of AWS Powershell to generate a short lived access key.
AWS most common security incidents
Source: SummitRoute Security Roadmap
This post assumes you have set up a SAML identity provider (IdP) and IAM Roles with this SAML provider in its trust policy. For more information on SAML, please see the AWS documentation for enabling federation with ADFS AND Saml.
AWS Saml configuration example
Picture source: AWS SAML with Federated users
The AWS function that we are driving into today is Use-STSRoleWithSAML. AWS Powershell Documentation. The get-help -examples of this function don’t go into what exactly someone needs to get this function working. In fact it’s empty.
AWS Powershell use-stsrolewithsaml
Let’s figure out how to use it with the goal to make authenticating and creating a temporary key as easy as possible for an end user. .
Use-STSRoleWithSAML AWS PowerShell
This function has seven core parameters available. I will use three to create a temporary access key. With the function at the end of this post, these parameters will be generated by default.
Saml assertion is in layman’s terms the response from your saml provider. The amazon definition is: “The base-64 encoded SAML authentication response provided by the IdP.”
PrincipalArn in layman’s terms is the Provider ARN in AWS IAM under “Identity Providers”.
aws saml principalarn
RoleArn in layman’s terms is the Role ARN for the role that trusts the Identity Provider specified above
aws powershell rolearn iam
The good news: The code in this post generates these parameters. You will only need to find your SSO url for the Amazon console.
The url for SSO
The sso url for sts saml tokens contains three parts:
The Fully Qualified Domain Name (Fqdn) :: $adfshost in the function
The guts of the url :: /adfs/ls/IdpInitiatedSignon.aspx?LoginToRP=
And the relying party suffix :: most often urn:amazon:webservices
SSO URL Examples
Example 1: https://$ADFSHost/adfs/ls/IdpInitiatedSignon.aspx?LoginToRP=$RelyingParty
Example 2: https://$adfshost/idp/profile/SAML2/Unsolicited/SSO?providerId=$RelyingParty
Example 3: For other examples, google “inurl: urn:amazon:webservice”
aws saml urn example output
For this post you will use Get-awsTempCred.ps1 in the Aws_powertools repo.
Davidprowe github aws powershell saml credentials
If you use Microsoft ADFS and set up AWS to work with ADFS using the AWS instructions, the only line in this code will need to change is:
[string]$ADFSHost=‘adfs.domain.com” and enter your saml provider fqdn in the parameter.
get-stssamlcred aws powershell adfs saml
Load the functions into memory and try “Get-STSSAMLCred” out. Here are the ways I use them with my production environment. Please note, this method does not create access keys for the root account.
Setting the PowerShell host terminal window with a temporary access key:
Choose the role
aws powershell cli access key
aws powershell access key
Getting temporary access keys and tokens for profiles or third party applications like cloudmapper.
Get temporary credentials
aws powershell access key temporary
Test Saml logins with a different user account:
By default I have the script pull the domain and user running the PowerShell instance. To specify another user, use the -ChangeUser parameter
aws powershell access key user access
That’s it! One line of code to generate temporary access keys for AWS programmatic access!