1. Bring Your Own Identities – Federating Access to Your AWS
Environment
Kai Zhao
Senior Product Manager
Identity and Access Management
2. Agenda
• What is delegation?
• What are the scenarios?
• How does it work?
• Q&A
3. What is federation?
• Delegation
– Provide users in other AWS accounts access to resources in your
AWS account
• Federation
– Provide users in other identity stores access to resources in your
AWS account
4. Common Use Cases
Delegate to other AWS accounts
• To your team member
• To another team
• To third party software
• To an AWS service
• To an EC2 instance
Federate with other identity stores
• Users in your corporate directory
– e.g. Active Directory, Google
• Users authenticated by a web
identity provider
– e.g. Login With Amazon, Facebook
5. Sessions 101
• Allow temporary access to your AWS account
• Are generated by the AWS Security Token Service (STS)
• Include temporary security credentials that are used to make API
calls to AWS services
7. What’s in a Session?
Use the keys to sign AWS service API requests
Session
Access Key Id
Secret Access Key
Expiration
Session Token
Use the token as an additional parameter for every API request
Temporary
Security
Credentials
9. Sessions Expire
Expiration varies based on token type
[Min/Max/Default]
• Self (Account) [15 min / 60 min / 60 min]
• Self (IAM User) [15 min / 36 hrs / 12 hrs]
• Federated [15 min / 36 hrs / 12 hrs]
• Assumed-role [15 min / 60 min / 60 min]
Use caching to improve your application performance
Session
Access Key Id
Secret Access Key
Expiration
Session Token
New in July 2016:
Federated console
duration now 12 hours
10. DEMO #1 - AWS Console Single Sign-on
Active Directory
Log into the console without a user name and password!
11. Wait… what just happened?
1. Logged into my Windows instance with AD credentials
2. Hit an intranet website
3. Chose the “role” I wanted to play in AWS
4. Auto-magically signed in to the console
12. AWS Console Federation Walkthrough (AssumeRole)
Customer (IdP) AWS Cloud (Relying Party)
AWS
Management
Console
Browser
interface
Corporate
directory
Federation
proxy
1Browse to URL
3
2
Redirect to
Console
10
Generate URL9
4 List RolesRequest
8
Assume Role Response
Temp Credentials
• Access Key
• Secret Key
• Session Token
7 AssumeRole Request
Create combo
box
6
Federation
proxy
• Uses a set of IAM user credentials to
make AssumeRoleRequest()
• IAM user permissions only need to be
able to call ListRoles & assume role
• Proxy needs to securely store these
credentials
5
List RolesResponse
13. Console Federation using SAML (AssumeRoleWithSAML)
Enterprise (Identity Provider) AWS (Service Provider)
AWS Sign-in
Browser
interface
Corporate
identity store
Identity provider
1User
browses to
Identity provider
2 Receives
AuthN response
5 Redirect client
AWS Management
Console
3
Post to Sign-In
Passing AuthN Response
4
14. AWS API Federation Walkthrough (GetFederationToken)
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4
Get Federation
Token Request
3
2
S3 Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5
Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7
16. Web Identity Federation (AssumeRoleWithWebIdentity)
AWS Cloud
US-EAST-1
EU-WEST-1
AP-SOUTHEAST-1
AWS Services
Amazon
DynamoDB
S3
Authenticate
User 1
6
7
IAM
EC2
Instances
Token
Verification
4
Web identity
Provider
3
5
Check
Policy
Id Token
2
Mobile App
Amazon Cognito: user sign-in and signup
for mobile/web apps via social
authentication, SAML, custom identities.
17. Summary
• Proxy-based Federation – GetFederationToken and AssumeRole
• SAML-based Federation – AssumeRoleWithSAML
– ADFS
– Shibboleth
• Web Identity Federation - AssumeRoleWithWebIdentity
– Login with Amazon, Facebook, Google
– Amazon Cognito
18. DEMO #2 – Federated Access to AWS CLI
Active Directory
19. What just happened?
1. Logged into my Windows desktop
2. Opened terminal
3. Utility obtained temporary security credentials
4. Accessed AWS services via CLI
20. What just happened? – Code Snippets
# Use the assertion to get an AWS STS token using Assume Role with SAML
conn = boto.sts.connect_to_region(region)
token = conn.assume_role_with_saml(role_arn, principal_arn, assertion)
What’s Happening: Call the standard AWS STS service to request AWS temporary security credentials
# Initiate session handler
session = requests.Session()
# Programatically get the SAML assertion
# Set up the NTLM authentication handler by
using the provided credential
session.auth = HttpNtlmAuth(username,
password, session)
# Opens the initial AD FS URL and follows
all of the HTTP302 redirects
response = session.get(idpentryurl,
verify=sslverification)
# Debug the response if needed
#print (response.text)
What’s Happening: Assemble the authentication
information (username, password) and formulate the https
request to the IdP
# Parse the returned assertion and extract the authorized roles
awsroles = []
root = ET.fromstring(base64.b64decode(assertion))
for saml2attribute in
root.iter('{urn:oasis:names:tc:SAML:2.0:assertion}Attribute'):
if (saml2attribute.get('Name') ==
'https://aws.amazon.com/SAML/Attributes/Role'):
for saml2attributevalue in
saml2attribute.iter('{urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue'):
awsroles.append(saml2attributevalue.text)
What’s Happening: Iterate through the IdP response tags until it finds one named SAMLResponse.