this completely eliminates the need to juggle ~/.aws/* files, or downloading or generation of one or more web identity token files, or complicated trust to a single root account
using a single GitHub token identifying the user, the saml.to backend exchanges that token for the desired account and credentials simply based on providing the desired role name as input
zero knowledge on how to authenticate the aws cli is necessary, which I've found as a high friction point for administrators and developers to get right
let me know if you have any more questions or feedback!
That being said, you're making my brain click a little bit and this could be converted into a "self contained" toy, with some additional work! The biggest piece of the puzzle is a consistent private key and certificate.
If that is of interest to you, could you create a GitHub Issue as a feature request?
Totally agree re: complexity. My goal is that a few config steps in a GitHub repository and AWS makes a GitHub action able to do a wide variety of things (such as accessing multiple accounts) with very little upstart work.
Storing Secrets in GitHub isn't technically insecure, and it's awesome it's provided as a free feature, but it's tedious and fragile. Someone (or something has to do various clicks and copy/pastes or API calls) to upload an access key into GitHub Secrets. It gets even worse if you have multiple accounts and then your Action Workflow file gets really gnarly if you simply pull credentials from ${{ secrets.* }}.
Also, if you need to rotate your AWS access tokens, you open up a whole new can of worms, so why not remove credentials all together!
Thanks for the question nodesocket, let me know if you have more questions or comments!
You are correct this GitHub action is at its core is very similar! Even though the initial instructions don't prescribe it, the biggest differentiator is that SAML.to supports a centralized permissions configuration across all repositories for a user, project or organization:
Also, this action is the tip of the iceberg of what SAML.to aims to provide (check out https://saml.to), for example:
- Store Role Assumption and Privileges as Code (the saml-to.yml config file)
- A command line interface to login and assume roles
- Free (or affordable) for small teams or individuals
- Additional Automations, Webhooks, SCIM, etc
Let me know if you have any comments on this and thanks for the question!
Let's actually use Rollbar as a use case since your HN profile says you're the co-founder, and Rollbar supports SAML !
Use case:
There's a set of developers on a project in GitHub, that also need to log into Rollbar. Rollbar would be added as a provider in the SAML.to Configuration File (hosted in GitHub). Developers that need to access Rollbar would also be listed in the configuration file with who should be allowed to Login to Rollbar.
When "cnuss" or "brianr" needs to access Rollbar, they would run the command in their console
`npx saml-to login rollbar`
This command would obtain their GitHub identity, and open a browser window directly into Rollbar. "tonystark" would not be able to do this, since he's not listed.
Additionaly, in this config, AWS access is configured for role assumption, So brianr, cnuss, and tonystark can all log AWS using the command
`npx saml-to assume role/admin`
This command would open up a browser window in the AWS console with the role of "arn:aws:iam::01234567890:role/admin"!
Using two commands, developers were able to log into both AWS and Rollbar in seconds.
Also, with SAML.to Premium, listing individual users is unnecessary, and assigning them to teams and specifying the teams in the config eliminates the repetition of a list of users in the config file.
Let me know if you have any questions or comments!
generally speaking, no, there should be no security concerns checking this into a repo but some best practices would be recommended to follow:
- make the repo private
- protect the main branch
- require PRs and # approvals and/or add CODEOWNERS
- only allow individuals that need to edit with write/admin privileges
- having anybody with read-only access to the repo is unnecessary since SAML.to does the reading on behalf of the users
if provisioning is needed, there would be a encrypted token for SCIM in the text of the file, but that token is encrypted by SAML.to AWS KMS, so checking an encrypted string into a file shouldn't be a huge concern for most
also, SAML.to Premium allows users to maintain their own PKI and allows administrators to encrypt and sign according to their organizations requirements!
on a final note, I'd entertain a feature request for "include" statements in the config file so CODEOWNERS could be leveraged nicely
that's all I can think of for now. I'll get these best practices into the docs and I'd entertain any and all suggestions or thoughts!
I've bridged GitHub OAuth and SAML 2.0 together, and made it easy to use with a CLI (`npx saml-to --help`). It's called SAML.to (https://saml.to).
I've built this to be a no/low-cost alternative to using Okta, OneLogin, or JumpCloud for SAML Logins.
Using SAML.to, a configuration file is placed in a GitHub repository that defines one or many Service Providers and Permissions to GitHub users, then logging in is as simple as running a command in your console:
npx saml-to login
Or for role assumption (like IAM roles):
npx saml-to assume
I'd love this community's feedback on this, please let me know what you think!
We've built Scaffoldly as an Open Source option to quickly start new projects in AWS, and cost effectively.
Scaffoldly Start (https://start.scaffold.ly) is the next iteration of our product, designed to quickly set up a new project on AWS using our Open Souce Tooling with Serverless APIs, GitHub Actions, Terraform, and Authentication.
True, I'll put "bootstrap" in the extreme maybe area, especially since CSS frameworks are so easy to wire in.
My previous work with React found an huge need for other things, such as redux and redux-saga, and found myself wasting a lot of time wiring that up just to get some text to change in the HTML based on a remote API call, but, personally, as I'm comparatively a n00b with React, I'd really like be prescribed a foundational structure for a new project.
1. There's a Function URL that then creates a Lambda HTTP Event
2. There's a reverse proxy in the container that converts the Lambda HTTP Event back into a HTTP Request
3. Then the HTTP Respose is transformed back into a Lambda HTTP Event Response
@billconan if you'd like, join my Discord and I'd be happy dive into details and/or provide more docs: https://scaffoldly.dev/community