token-krb5formauth-create

token-krb5formauth-create

Attempts to get valid AWS session credentials using available SAML2 assertions after authenticating against a specified IDP hosted form that requires Kerberos based authentication (common in corporate/enterprise environments with federated login)

Internal but useful for troubleshooting

This AXE command is used internally to load identity profiles which are then used to request API access. Generally only useful when troubleshooting issues with IDP

Command

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Basic script to provide AWS Session Tokens using Kerberos token in combination
with a form based IDP service/portal to generate valid SAML2 Response that can
be used for AWS API services

This script only works once Kerberos auth is correctly configured on the local
workstation. You can test this with
    'kinit user@REALM' - Attempt to auth
    'klist'            - List existing Kerberos tokens

Usage:
    axe-token-krb5formauth-create <aws_region> <saml_idp_url> <idp_params> <principal> <creds_file> [<token_duration>] [ options ]
    axe-token-krb5formauth-create ( -h | --help )

Arguments:
  aws_region        The AWS Region to auth against
  idp_params        A JSON dictionary of parameters that are needed for form
                    based authentication. A value of '<ask>' can be used to
                    trigger reading the value at runtime from the user. A value
                    of '<password>' can be used to trigger reading the value at
                    runtime securely
  saml_idp_url      The IDP/SAML URL that is used to trigger authentication
  principal         The identity to authenticate with in the form of user@REALM
  creds_file        The filename to store credentials in if successful
  token_duration    The duration in seconds that a requested token is valid for
                    from the time of successful authentication [default: 3600]

Options:
  --sslverify       Whether or not to validate the SSL cert from the SAML URL.
                    Generally not recommended for URLs using self-signed
                    certificates
  --debug           More verbose (usually debug) logging and output

Example Usage

Simple 

1
2
3
4
5
6
7
8
9
$ axe token-krb5formauth-create eu-west-1 'https://internal-idp-portal.company.org/idp/' idp_params.json
2016-07-08 16:04:40,143 DEBUG  command-line options: <saml_idp_url>: https://internal-idp-portal.company.org/idp/startSSO.ping?PartnerSpId=urn:amazon:webservices
2016-07-08 16:04:40,143 DEBUG  command-line options: <principal>: DUMMYUSER1@COMPANY.ORG
2016-07-08 16:04:40,143 DEBUG  command-line options: <idp_params>: idp_params.json
2016-07-08 16:04:40,144 DEBUG  Loaded payload: {u'form.pass': u'<password>', u'form.ok': u'clicked', u'form.username': u'DUMMYUSER1'}
2016-07-08 16:04:43,611 DEBUG  Building HTTP session
2016-07-08 16:04:45,967 DEBUG  Posting payload to https://internal-idp-portal.company.org/idp/QHWYR/resumeSAML20/idp/startSSO.ping
2016-07-08 16:04:46,133 DEBUG  Found SAMLResponse
2016-07-08 16:04:46,158 DEBUG  Allocated AWS Roles

Notes

  • If successful a list of available AWS IAM Roles will be provided from which the user must then select to activate