All geek questions in one place

AWS API Credentials Using OneLogin SAML and MFA

We want our users to be able to get a set of temporary CLI credentials for this AWS role by logging into OneLogin with a password and MFA. We have a working solution, but it requires the user to fully re-authenticate to OneLogin (including MFA) every 60 minutes, as the AWS temporary authority expires. I think it won’t fly - our users are accustomed to persistent API credentials tied to a real IAM user.

Ideally, we would like users to authenticate once a day, securely cache the received SAML statement, and use this to transparently update AWS API credentials as needed. I am thinking of something like aws-keychain , which will use the local OS credential store to remember the SAML statement and only ask the user for input when their OneLogin session is over.

It almost works as it is. The trick is that the SAML statement returned by the OneLogin saml_assertion and verify_factor sets a three-minute deadline for Subject and Conditions .

Is there a way to do what we want, or are we trying to route the basic principle of SAML?

+9
source share
2 answers

We are officially adding an option to our official CLI tool to reuse user credentials similar to what you are describing.

Essentially, our CLI tool has the ability to reuse the user / password in the background to constantly update access information in the user profile, so when the user provides credentials once, the access information will be updated before it expires.

But, unfortunately, at least at this time, there is no way to bypass part of the Ministry of Foreign Affairs if the Ministry of Foreign Affairs is required for the application policy. This will require the MFA to update credentials.

If you have to have an MFA, you can always use the OneLogin MFA API to bake in an MFA stream into a tool ...

Take a look here: https://github.com/onelogin/onelogin-aws-cli-assume-role/pull/5

+1
source

The accepted answer here is no longer true. Now you can authenticate the user and check the MFA once at the beginning of the session, and then update the session hourly without entering additional MFA tokens.

To do this, you must use the --loop parameter of the --loop tool and have the appropriate application policy in OneLogin, which includes the option "Skip if OTP is received in the last X minutes".

https://developers.onelogin.com/api-docs/1/samples/aws-cli

0
source

Source: https://habr.com/ru/post/1011870/

More articles:


All Articles