1

I'm trying to get temporary STS credentials through a federated user via a corporate account. Corporate policy doesn't allow the use of IAM users and authentication is done through AD.

Using the AWS Cli, I am trying this, but receive an error

aws sts assume-role --role-arn arn:aws:iam::<ID>:role/aws-service-role/ecs.amazonaws.com/<role> --role-session-name "Rolesession1" --external-id <federated user login> --debug

AWS Config:

[default]
region = us-east-1
output = json

[default]
aws_access_key_id =
aws_secret_access_key =
aws_session_token =

Stacktrace:

An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid. 2019-01-29 09:15:54,986 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.}

4

2 回答 2

1

Okay, I got this working. It's a 2 step process for now.

  1. I used this code Amazon Provided STS credential refresh. This will write your credentials to ~/.aws/credentials. Your username and password are what you login to your corporate network with.
  2. You can now use the AWS_CLI to access AWS API's. This will also work with Ansible playbooks. You will need to lookup the credentials from the ~/.aws/credential file either by putting them in a vars.yaml file, or directly in your playbook like this:
ec2_access_key: "{{ lookup('ini', 'aws_access_key_id section=saml file=~/.aws/credentials') }}"
ec2_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=saml file=~/.aws/credentials') }}"
ec2_security_token: "{{ lookup('ini', 'aws_session_token section=saml file=~/.aws/credentials') }}"
于 2019-02-08T14:26:33.407 回答
0

You will need to configure SAML on your Active Directory (using ADFS) and federate AWS CLI through SAML.

This article gives step by step instructions how to do it : https://aws.amazon.com/premiumsupport/knowledge-center/adfs-grant-ad-access-api-cli/

于 2019-01-29T14:53:00.323 回答