Created
March 10, 2018 19:02
-
-
Save sudharsans/ee48da0f3d512ff596b5cd3f35bb51e3 to your computer and use it in GitHub Desktop.
Identity Broker with Python3 Flask
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick test for https://stackoverflow.com/questions/49163883/sign-in-page-for-aws-federated-login/49212472#49212472 | |
| # Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html | |
| # python3 run.py | |
| import urllib.parse,json | |
| import requests # 'pip install requests' | |
| from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto' | |
| from flask import Flask,redirect # pip install flask | |
| app = Flask(__name__) | |
| @app.route('/') | |
| def hello_world(): | |
| # Step 1: Authenticate user in your own identity system. | |
| # Step 2: Using the access keys for an IAM user in your AWS account, | |
| # call "AssumeRole" to get temporary access keys for the federated user | |
| # Note: Calls to AWS STS AssumeRole must be signed using the access key ID | |
| # and secret access key of an IAM user or using existing temporary credentials. | |
| # The credentials can be in EC2 instance metadata, in environment variables, | |
| # or in a configuration file, and will be discovered automatically by the | |
| # STSConnection() function. For more information, see the Python SDK docs: | |
| # http://boto.readthedocs.org/en/latest/boto_config_tut.html | |
| sts_connection = STSConnection() | |
| assumed_role_object = sts_connection.assume_role( | |
| role_arn="arn:aws:iam::<ACC_NO>:role/s3-role", | |
| role_session_name="AssumeRoleSession" | |
| ) | |
| # Step 3: Format resulting temporary credentials into JSON | |
| json_string_with_temp_credentials = '{' | |
| json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",' | |
| json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",' | |
| json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"' | |
| json_string_with_temp_credentials += '}' | |
| # Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with | |
| # the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials | |
| # as parameters. | |
| request_parameters = "?Action=getSigninToken" | |
| request_parameters += "&SessionDuration=43200" | |
| request_parameters += "&Session=" + urllib.parse.quote(json_string_with_temp_credentials) | |
| request_url = "https://signin.aws.amazon.com/federation" + request_parameters | |
| r = requests.get(request_url) | |
| # Returns a JSON document with a single element named SigninToken. | |
| signin_token = json.loads(r.text) | |
| # Step 5: Create URL where users can use the sign-in token to sign in to | |
| # the console. This URL must be used within 15 minutes after the | |
| # sign-in token was issued. | |
| request_parameters = "?Action=login" | |
| request_parameters += "&Issuer=Example.org" | |
| request_parameters += "&Destination=" + urllib.parse.quote("https://console.aws.amazon.com/") | |
| request_parameters += "&SigninToken=" + signin_token["SigninToken"] | |
| request_url = "https://signin.aws.amazon.com/federation" + request_parameters | |
| # Redirect URL | |
| return redirect(request_url, code=302) | |
| if __name__ == '__main__': | |
| app.run() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment