使用AWS CLI从AssumeRoleWithSAML操作中获取临时凭证

1. Install aws cli

1~$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
2~$ sudo yum install unzip
3~$ unzip awscliv2.zip
4~$ sudo ./aws/install
1~$ aws --version
2or:
3~$ /usr/local/bin/aws --version

2. AssumeRoleWithSAML Steps

2.1 config

1~$ vi ~/.aws/config

contents:

1[profile S3-ACCESS]
2region = cn-north-1
3output = json
1~$ chmod 600 ~/.aws/config

2.2 get SAMLResponse

1                                                
2|<-----------在登录AWS前---------->|  |<-------登录-------------------------->|
3F12 --> Network ---> Preserve log -----> saml ---> Form Data ---> SAMLResponse

2.3 issue assume-role-with-saml command

1~$ aws sts assume-role-with-saml --role-arn arn:aws-cn:iam::112233445555:role/operator --principal-arn arn:aws-cn:iam::112233445555:saml-provider/PROVIDER --saml-assertion "PHNhb..." --profile S3-ACCESS
2or:
3~$ aws sts assume-role-with-saml --role-arn arn:aws-cn:iam::112233445555:role/operator --principal-arn arn:aws-cn:iam::112233445555:saml-provider/PROVIDER --saml-assertion file://SAMLResponse.log --profile S3-ACCESS

该命令的response类似下面的样子:

 1{
 2    "Credentials": {
 3        "AccessKeyId": "ASIAY4UYFBEQT5XDTDP3",   // ----------->  aws_access_key_id
 4        "SecretAccessKey": "3bzGbgJTX507nw5BlApJu0vjsXbl3Xksk4GyIuFT",   // -----------> aws_secret_access_key 
 5        "SessionToken": "IQoJb3JpZ2luX2VjECcaDmNuLW5vcnRod2VzdC0xIkgwRgIhALnx4VKCEgG78YQHSTSWLdlRgEBN5WCvXA9qiRV2JOG7AiEAkbaNivmJcfzkvLlyNYM5yclvOZg0jgd+V/lvewvQptoquAIIVBADGgw2MTEyNzgxOTQ5NzciDEnoiKxup74ettFfNiqVAoSgd0mCiIcilCpipPo1DiVZwPSkjAbr3zNnKiGN6YW3yIBCJ2VAxXOJH18tEVvrgKpir/mOlpNt44e1PbvgzPFQ5sBmOKCkJb4MmEVOJvOmtXr3u0wEbdIp/6sKv2Ua0t6lzK9bEn0L4rSZbx7DCZ0uxjyrrOf3kohtgBC58T0ZDqvuf3Sy0e01bNIwlGa3H/Aaq7yBZL4l9nA9eFAuWmx7RqtA8nF5YMu0mkV8Es40b/8KDv7RVhCXNT1kdGZCArvOr87ILvBFo/Tq/7FNQd9EM/1dHAKa7vrA2Z4AJMZPxoroZ3PCqy/BDXoiJPSsRHh6eE7ePTc4GTuR0OSWIN9K2WVP6aUJgAU/UNIz0tUUfMJyBZMw+sHE+AU64AEO2AyfbE3j2RxbGJSmhLy4xrgxYSPEf5LrFqIhz7v8V0XZh9jcmonTaMUR3hkk6m5DAcd0g1t3famnA/QbbcDxFbE926yPLUuCNEHkTgJahiSK4JcroIFve81MuObc2kjI2ST3YYSRO1197dhFAZ1CkdsLbX4NqJpAXkWAroUhFCuLFUynMFIukTUj3GICdId58CzMeYPDCgeEHkijbsWWDl1AUALTB2S5kSVxzgdRqx+dr5OMCl5V+Cc4gE06ie5z3s0wxHFuUE2SHonmg9mab4LJ/Cy0jcvYCmBXtZK0vg==",    // -----------> aws_session_token
 6        "Expiration": "2020-07-17T04:54:34+00:00"
 7    },
 8    "AssumedRoleUser": {
 9        "AssumedRoleId": "AROAPGXDD5N7WB7K2NJXC:suo.li@microfun.com",
10        "Arn": "arn:aws-cn:sts::112233445555:assumed-role/operator/suo.li@microfun.com"
11    },
12    "Subject": "suo.li@microfun.com",
13    "SubjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
14    "Issuer": "https://sts.windows.net/4a7c19a3-8875-4889-afcb-65063e44dc5f/",
15    "Audience": "https://signin.amazonaws.cn/saml",
16    "NameQualifier": "DqCxreNmqRXPNA25ejJBl9B/qjY="
17}

2.4 credentials

1~$ vi ~/.aws/credentials
1[S3-ACCESS]
2aws_access_key_id = ASIAY4UYFBEQT5XDTDP3
3aws_secret_access_key = 3bzGbgJTX507nw5BlApJu0vjsXbl3Xksk4GyIuFT
4aws_session_token = IQoJb3JpZ2luX2VjECcaDmNuLW5vcnRod2VzdC0xIkgwRgIhALnx4VKCEgG78YQHSTSWLdlRgEBN5WCvXA9qiRV2JOG7AiEAkbaNivmJcfzkvLlyNYM5yclvOZg0jgd+V/lvewvQptoquAIIVBADGgw2MTEyNzgxOTQ5NzciDEnoiKxup74ettFfNiqVAoSgd0mCiIcilCpipPo1DiVZwPSkjAbr3zNnKiGN6YW3yIBCJ2VAxXOJH18tEVvrgKpir/mOlpNt44e1PbvgzPFQ5sBmOKCkJb4MmEVOJvOmtXr3u0wEbdIp/6sKv2Ua0t6lzK9bEn0L4rSZbx7DCZ0uxjyrrOf3kohtgBC58T0ZDqvuf3Sy0e01bNIwlGa3H/Aaq7yBZL4l9nA9eFAuWmx7RqtA8nF5YMu0mkV8Es40b/8KDv7RVhCXNT1kdGZCArvOr87ILvBFo/Tq/7FNQd9EM/1dHAKa7vrA2Z4AJMZPxoroZ3PCqy/BDXoiJPSsRHh6eE7ePTc4GTuR0OSWIN9K2WVP6aUJgAU/UNIz0tUUfMJyBZMw+sHE+AU64AEO2AyfbE3j2RxbGJSmhLy4xrgxYSPEf5LrFqIhz7v8V0XZh9jcmonTaMUR3hkk6m5DAcd0g1t3famnA/QbbcDxFbE926yPLUuCNEHkTgJahiSK4JcroIFve81MuObc2kjI2ST3YYSRO1197dhFAZ1CkdsLbX4NqJpAXkWAroUhFCuLFUynMFIukTUj3GICdId58CzMeYPDCgeEHkijbsWWDl1AUALTB2S5kSVxzgdRqx+dr5OMCl5V+Cc4gE06ie5z3s0wxHFuUE2SHonmg9mab4LJ/Cy0jcvYCmBXtZK0vg==
1~$ chmod 600 ~/.aws/credentials

varify your credentials

使用 –profile 参数调用用户凭证

1~$ aws s3 ls --profile S3-ACCESS
2...
3~$ aws sts get-caller-identity --profile S3-ACCESS

注意:使用该方法获取的临时凭证有效时间为1小时,可以在IAM管理界面修改为12小时(最大),如果使用临时凭证来上传数据到S3或者从S3下载数据

      要保证数据在凭证有效期限内传完,否则数据传输过程会因凭证失效而断开。(数据传输时某些操作会频繁需要验证凭证)

Go002 Use Vim as IDE for Golang
FreeBSD账户管理