Merge pull request #197 from venth/print_console_signin_url

Print AWS web console sign-in url

Author: pdecat

README.md

@@ -253,6 +253,14 @@ aws-adfs integrates with:
                                       AWS_DEFAULT_REGION environmental variables
                                       instead of saving them to the aws
                                       configuration file.
+      --print-console-signin-url      Output a URL that lets users who sign in to
+                                      your organization's network securely access
+                                      the AWS Management Console.
+      --console-role-arn TEXT         Role to assume for use in conjunction with
+                                      --print-console-signin-url
+      --console-external-id TEXT      External ID to pass in assume role for use
+                                      in conjunction with --print-console-signin-
+                                      url
       --role-arn TEXT                 Predefined role arn to selects, e.g. aws-
                                       adfs login --role-arn arn:aws:iam::123456789
                                       012:role/YourSpecialRole
@@ -420,4 +428,6 @@ poetry run pytest
 * [johan1252](https://github.com/johan1252) for: Ask for authentication method if there is no default method set in Duo Security settings
 * [pdecat](https://github.com/pdecat) for: Always return the same number of values from _initiate_authentication()
 * [mikereinhold](https://github.com/mikereinhold) for: Feature credential process
-* [pdecat](https://github.com/pdecat) for: Add --username-password-command command line parameter
+* [pdecat](https://github.com/pdecat) for:
+    * Add --username-password-command command line parameter
+    * Add --print-console-signin-url, --console-role-arn and --console-external-id command line parameters

aws_adfs/login.py

@@ -5,14 +5,17 @@
 import os.path
 import subprocess
 import sys
+import urllib
 from datetime import datetime, timezone
 from os import environ
 from platform import system
 
+import boto3
 import botocore
 import botocore.exceptions
 import botocore.session
 import click
+import requests
 from botocore import client
 
 from . import authenticator, helpers, prepare, role_chooser
@@ -90,6 +93,19 @@
     is_flag=True,
     help='Output commands to set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_DEFAULT_REGION environmental variables instead of saving them to the aws configuration file.',
 )
+@click.option(
+    '--print-console-signin-url',
+    is_flag=True,
+    help='Output a URL that lets users who sign in to your organization\'s network securely access the AWS Management Console.',
+)
+@click.option(
+    "--console-role-arn",
+    help="Role to assume for use in conjunction with --print-console-signin-url",
+)
+@click.option(
+    "--console-external-id",
+    help="External ID to pass in assume role for use in conjunction with --print-console-signin-url",
+)
 @click.option(
     '--role-arn',
     help='Predefined role arn to selects, e.g. aws-adfs login --role-arn arn:aws:iam::123456789012:role/YourSpecialRole',
@@ -133,6 +149,9 @@ def login(
     authfile,
     stdout,
     printenv,
+    print_console_signin_url,
+    console_role_arn,
+    console_external_id,
     role_arn,
     session_duration,
     no_session_cache,
@@ -259,7 +278,11 @@ def login(
         _emit_json(aws_session_token)
     elif printenv:
         _emit_summary(config, aws_session_duration)
-        _print_environment_variables(aws_session_token,config)
+        _print_environment_variables(aws_session_token, config)
+    elif print_console_signin_url:
+        _print_console_signin_url(
+            aws_session_token, adfs_host, console_role_arn, console_external_id
+        )
     else:
         _store(config, aws_session_token)
         _emit_summary(config, aws_session_duration)
@@ -275,7 +298,7 @@ def _emit_json(aws_session_token):
     }))
 
 
-def _print_environment_variables(aws_session_token,config):
+def _print_environment_variables(aws_session_token, config):
     envcommand = "export"
     if(sys.platform=="win32"):
         envcommand="set"
@@ -287,8 +310,79 @@ def _print_environment_variables(aws_session_token,config):
     click.echo(
         u"""{} AWS_SESSION_TOKEN={}""".format(envcommand,aws_session_token['Credentials']['SessionToken']))
     click.echo(
-        u"""{} AWS_DEFAULT_REGION={}""".format(envcommand,config.region))
+        u"""{} AWS_DEFAULT_REGION={}""".format(envcommand, config.region))
+
+
+def _print_console_signin_url(
+    aws_session_token, adfs_host, console_role_arn, console_external_id
+):
+    # The steps below come from https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+
+    if console_role_arn:
+        # Step 2: Using the access keys for an IAM user in your AWS account,
+        # call "AssumeRole" to get temporary access keys for the federated user
+
+        # Note: Calls to AWS STS AssumeRole must be signed using the access key ID
+        # and secret access key of an IAM user or using existing temporary credentials.
+        # The credentials can be in EC2 instance metadata, in environment variables,
+        # or in a configuration file, and will be discovered automatically by the
+        # client('sts') function. For more information, see the Python SDK docs:
+        # http://boto3.readthedocs.io/en/latest/reference/services/sts.html
+        # http://boto3.readthedocs.io/en/latest/reference/services/sts.html#STS.Client.assume_role
+
+        # FIXME: use botocore instead of boto3: https://github.com/boto/botocore/blob/1.21.49/botocore/credentials.py#L766
+        sts_connection = boto3.client(
+            "sts",
+            aws_access_key_id=aws_session_token["Credentials"]["AccessKeyId"],
+            aws_secret_access_key=aws_session_token["Credentials"]["SecretAccessKey"],
+            aws_session_token=aws_session_token["Credentials"]["SessionToken"],
+        )
+
+        if console_external_id:
+            aws_session_token = sts_connection.assume_role(
+                RoleArn=console_role_arn,
+                RoleSessionName="aws-adfs",
+                ExternalId=console_external_id,
+            )
+        else:
+            aws_session_token = sts_connection.assume_role(
+                RoleArn=console_role_arn,
+                RoleSessionName="aws-adfs",
+            )
 
+    # Step 3: Format resulting temporary credentials into JSON
+    url_credentials = {}
+    url_credentials['sessionId'] = aws_session_token['Credentials']['AccessKeyId']
+    url_credentials['sessionKey'] = aws_session_token['Credentials']['SecretAccessKey']
+    url_credentials['sessionToken'] = aws_session_token['Credentials']['SessionToken']
+    json_string_with_temp_credentials = json.dumps(url_credentials)
+
+    # Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
+    # the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials 
+    # as parameters.
+    request_parameters = "?Action=getSigninToken"
+
+    # https://signin.aws.amazon.com/federation endpoint returns a HTTP/1.1 400 Bad Request error with AssumeRole credentials when SessionDuration is set
+    if not console_role_arn:
+        request_parameters += "&SessionDuration=43200"
+
+    request_parameters += "&Session=" + urllib.parse.quote_plus(json_string_with_temp_credentials)
+    request_url = "https://signin.aws.amazon.com/federation" + request_parameters
+    r = requests.get(request_url)
+    # Returns a JSON document with a single element named SigninToken.
+    signin_token = json.loads(r.text)
+
+    # Step 5: Create URL where users can use the sign-in token to sign in to
+    # the console. This URL must be used within 15 minutes after the
+    # sign-in token was issued.
+    request_parameters = "?Action=login"
+    request_parameters += "&Issuer=" + urllib.parse.quote_plus("https://" + adfs_host + "/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices")
+    request_parameters += "&Destination=" + urllib.parse.quote_plus("https://console.aws.amazon.com/")
+    request_parameters += "&SigninToken=" + signin_token["SigninToken"]
+    request_url = "https://signin.aws.amazon.com/federation" + request_parameters
+
+    # Send final URL to stdout
+    click.echo("""\nAWS web console signin URL:\n\n{}""".format(request_url))
 
 def _emit_summary(config, session_duration):
     click.echo(

poetry.lock

@@ -42,6 +42,7 @@ requests-kerberos = [
 requests-negotiate-sspi= [
     { version = ">=0.3.4", markers = "platform_system == 'Windows'" },
 ]
+boto3 = "^1.20.50"
 
 [tool.poetry.dev-dependencies]
 coverage = "<4"