使用AWS CLI从AssumeRoleWithSAML操作中获取临时凭证

Using Aws Cli via AssumeRoleWithSAML Get Temporary Credencial

使用AWS CLI从AssumeRoleWithSAML操作中获取临时凭证
Page content

1. Install aws cli

~$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
~$ sudo yum install unzip
~$ unzip awscliv2.zip
~$ sudo ./aws/install
~$ aws --version
or:
~$ /usr/local/bin/aws --version

2. AssumeRoleWithSAML Steps

2.1 config

~$ vi ~/.aws/config

contents:

[profile S3-ACCESS]
region = cn-north-1
output = json
~$ chmod 600 ~/.aws/config

2.2 get SAMLResponse

                                                
|<-----------在登录AWS前---------->|  |<-------登录-------------------------->|
F12 --> Network ---> Preserve log -----> saml ---> Form Data ---> SAMLResponse

2.3 issue assume-role-with-saml command

~$ aws sts assume-role-with-saml --role-arn arn:aws-cn:iam::112233445555:role/operator --principal-arn arn:aws-cn:iam::112233445555:saml-provider/PROVIDER --saml-assertion "PHNhb..." --profile S3-ACCESS
or:
~$ aws sts assume-role-with-saml --role-arn arn:aws-cn:iam::112233445555:role/operator --principal-arn arn:aws-cn:iam::112233445555:saml-provider/PROVIDER --saml-assertion file://SAMLResponse.log --profile S3-ACCESS

该命令的response类似下面的样子:

{
    "Credentials": {
        "AccessKeyId": "ASIAY4UYFBEQT5XDTDP3",   // ----------->  aws_access_key_id
        "SecretAccessKey": "3bzGbgJTX507nw5BlApJu0vjsXbl3Xksk4GyIuFT",   // -----------> aws_secret_access_key 
        "SessionToken": "IQoJb3JpZ2luX2VjECcaDmNuLW5vcnRod2VzdC0xIkgwRgIhALnx4VKCEgG78YQHSTSWLdlRgEBN5WCvXA9qiRV2JOG7AiEAkbaNivmJcfzkvLlyNYM5yclvOZg0jgd+V/lvewvQptoquAIIVBADGgw2MTEyNzgxOTQ5NzciDEnoiKxup74ettFfNiqVAoSgd0mCiIcilCpipPo1DiVZwPSkjAbr3zNnKiGN6YW3yIBCJ2VAxXOJH18tEVvrgKpir/mOlpNt44e1PbvgzPFQ5sBmOKCkJb4MmEVOJvOmtXr3u0wEbdIp/6sKv2Ua0t6lzK9bEn0L4rSZbx7DCZ0uxjyrrOf3kohtgBC58T0ZDqvuf3Sy0e01bNIwlGa3H/Aaq7yBZL4l9nA9eFAuWmx7RqtA8nF5YMu0mkV8Es40b/8KDv7RVhCXNT1kdGZCArvOr87ILvBFo/Tq/7FNQd9EM/1dHAKa7vrA2Z4AJMZPxoroZ3PCqy/BDXoiJPSsRHh6eE7ePTc4GTuR0OSWIN9K2WVP6aUJgAU/UNIz0tUUfMJyBZMw+sHE+AU64AEO2AyfbE3j2RxbGJSmhLy4xrgxYSPEf5LrFqIhz7v8V0XZh9jcmonTaMUR3hkk6m5DAcd0g1t3famnA/QbbcDxFbE926yPLUuCNEHkTgJahiSK4JcroIFve81MuObc2kjI2ST3YYSRO1197dhFAZ1CkdsLbX4NqJpAXkWAroUhFCuLFUynMFIukTUj3GICdId58CzMeYPDCgeEHkijbsWWDl1AUALTB2S5kSVxzgdRqx+dr5OMCl5V+Cc4gE06ie5z3s0wxHFuUE2SHonmg9mab4LJ/Cy0jcvYCmBXtZK0vg==",    // -----------> aws_session_token
        "Expiration": "2020-07-17T04:54:34+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROAPGXDD5N7WB7K2NJXC:suo.li@microfun.com",
        "Arn": "arn:aws-cn:sts::112233445555:assumed-role/operator/suo.li@microfun.com"
    },
    "Subject": "suo.li@microfun.com",
    "SubjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "Issuer": "https://sts.windows.net/4a7c19a3-8875-4889-afcb-65063e44dc5f/",
    "Audience": "https://signin.amazonaws.cn/saml",
    "NameQualifier": "DqCxreNmqRXPNA25ejJBl9B/qjY="
}

2.4 credentials

~$ vi ~/.aws/credentials
[S3-ACCESS]
aws_access_key_id = ASIAY4UYFBEQT5XDTDP3
aws_secret_access_key = 3bzGbgJTX507nw5BlApJu0vjsXbl3Xksk4GyIuFT
aws_session_token = IQoJb3JpZ2luX2VjECcaDmNuLW5vcnRod2VzdC0xIkgwRgIhALnx4VKCEgG78YQHSTSWLdlRgEBN5WCvXA9qiRV2JOG7AiEAkbaNivmJcfzkvLlyNYM5yclvOZg0jgd+V/lvewvQptoquAIIVBADGgw2MTEyNzgxOTQ5NzciDEnoiKxup74ettFfNiqVAoSgd0mCiIcilCpipPo1DiVZwPSkjAbr3zNnKiGN6YW3yIBCJ2VAxXOJH18tEVvrgKpir/mOlpNt44e1PbvgzPFQ5sBmOKCkJb4MmEVOJvOmtXr3u0wEbdIp/6sKv2Ua0t6lzK9bEn0L4rSZbx7DCZ0uxjyrrOf3kohtgBC58T0ZDqvuf3Sy0e01bNIwlGa3H/Aaq7yBZL4l9nA9eFAuWmx7RqtA8nF5YMu0mkV8Es40b/8KDv7RVhCXNT1kdGZCArvOr87ILvBFo/Tq/7FNQd9EM/1dHAKa7vrA2Z4AJMZPxoroZ3PCqy/BDXoiJPSsRHh6eE7ePTc4GTuR0OSWIN9K2WVP6aUJgAU/UNIz0tUUfMJyBZMw+sHE+AU64AEO2AyfbE3j2RxbGJSmhLy4xrgxYSPEf5LrFqIhz7v8V0XZh9jcmonTaMUR3hkk6m5DAcd0g1t3famnA/QbbcDxFbE926yPLUuCNEHkTgJahiSK4JcroIFve81MuObc2kjI2ST3YYSRO1197dhFAZ1CkdsLbX4NqJpAXkWAroUhFCuLFUynMFIukTUj3GICdId58CzMeYPDCgeEHkijbsWWDl1AUALTB2S5kSVxzgdRqx+dr5OMCl5V+Cc4gE06ie5z3s0wxHFuUE2SHonmg9mab4LJ/Cy0jcvYCmBXtZK0vg==
~$ chmod 600 ~/.aws/credentials

varify your credentials

使用 –profile 参数调用用户凭证

~$ aws s3 ls --profile S3-ACCESS
...
~$ aws sts get-caller-identity --profile S3-ACCESS

注意:使用该方法获取的临时凭证有效时间为1小时,可以在IAM管理界面修改为12小时(最大),如果使用临时凭证来上传数据到S3或者从S3下载数据

      要保证数据在凭证有效期限内传完,否则数据传输过程会因凭证失效而断开。(数据传输时某些操作会频繁需要验证凭证)