How to make AssumeRolewithSAML calls with AWS CLI

abstract business code coder
Reading Time: 3 minutes

Many organizations uses SAML based authentication to authenticate their users to access AWS and other services. SAML(Security Assertion Markup Language) is a standard for logging users into applications based on their sessions in another context. You can read about How SAML authentication works from here.

In this blog, we will check how we can use AssumeRoleWithSAML to get temporary security credentials to sign calls to AWS services.

AssumeRoleWithSAML request/response elements

Lets first learn about the SAML request and response elements.

SAML Request elements are:

DurationSeconds

It is the duration in seconds of the role arn. Your role session lasts for the duration that you specify for the DurationSeconds parameter.

You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration set by your administrator. By default, the value is set to 3600 seconds.

Policy

This is an optional parameter. It contains an IAM policy in JSON format that you want to use as an inline session policy. This will restrict the credentials to access the particular resources defined by the policy.

PolicyArns.member.N

This is also an optional parameter which defines the Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. You can provide up to 10 managed policy ARNs.

PrincipalArn

This contains the Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

RoleArn

This contains the Amazon Resource Name (ARN) of the role that the caller is assuming.

SAMLAssertion

This is the base64 encoded SAML authentication response provided by the IdP.

SAML Response Elements are:

AssumedRoleUser

The identifiers for the temporary security credentials that the operation returns.

Audience

The value of the Recipient attribute of the SubjectConfirmationData element of the SAML assertion.

Credentials

The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.

Issuer

The value of the Issuer element of the SAML assertion.

NameQualifier

A hash value based on the concatenation of the following:

  • The Issuer response value.
  • The AWS account ID.
  • The friendly name (the last part of the ARN) of the SAML provider in IAM.

PackedPolicySize

A percentage value that indicates the packed size of the session policies and session tags combined passed in the request.

SourceIdentity

The value in the SourceIdentity attribute in the SAML assertion.

Subject

The value of the NameID element in the Subject element of the SAML assertion.

SubjectType

The format of the name ID, as defined by the Format attribute in the NameID element of the SAML assertion. Typical examples of the format are transient or persistent.


Using AssumeRoleWithSAML to get temporary access credentials

To get these temporary credentials, you will have to follow the steps listed below.

  • Open your web browser
  • Go to Settings and select Developer Tools option
  • In the Network section, filter result for SAML
  • Click on the checkbox Preserve log to preserve the logs even after the page redirection.
  • Authenticate yourself with your SAML credentials
  • You would now be able to see a SAML post request in the networks section
  • Select the SAML request and click on the Headers
  • Scroll down at the bottom in the Headers section until you see the SAMLResponse.
  • Copy the SAMLResponse.
  • Paste the SAML response into a file in the local directory named samlresponse.log. Then, substitute the value of role-arn and principal-arn in the following command and run assume-role-with-saml to call the STS token:

aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNTNUMBER:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNTNUMBER:saml-provider/SAML_PROVIDER --saml-assertion file://samlresponse.log awk -F: ' BEGIN { RS = "[,{}]" ; print "[SAML-PROFILE]"} /:/{ gsub(/"/, "", $2) } /AccessKeyId/{ print "aws_access_key_id = " $2 } /SecretAccessKey/{ print "aws_secret_access_key = " $2 } /SessionToken/{ print "aws_session_token = " $2 } ' >> ~/.aws/credentials

This saves the credentials in a profile inside the ~/.aws/credentials file.

You may display the content of this file.

This would contain profile name, aws_access_key_id, aws_secret_access_key, and aws_session_token.

 Run the AWS command get-caller-identity to verify a response:

aws sts get-caller-identity --profile SAML-PROFILE

This would show the expected role arn and other details. Now you can access any AWS resource that you wish to and have permissions for. This will be valid for a limited session duration which is either specified by you or is taken as default.


Hey, readers! Thank you for sticking up till the end. If you have any questions/feedbacks regarding this blog, I am reachable at vidushi.bansal@knoldus.com. You can find more blogs on AWS here.

References:

https://auth0.com/blog/how-saml-authentication-works/

knoldus

Written by 

Vidushi Bansal is a Software Consultant [Devops] at Knoldus Inc. She is passionate about learning and exploring new technologies.