Azure-AD SSO with AWS manual Cli access

                                     Manual Cli access for Azure-AD SSO to AWS



For Cli access for Azure-AD SSO to AWS there is an opensource tool called AWS-Azure login 

[ https://github.com/sportradar/aws-azure-login ]. But some may feel insecure for using your Azure credentials with opensource tools. Then how to gain Cli access. As mentioned in the Microsoft post

[ https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39560995-azure-ad-aws-cli-authentication ] the process seems to be lengthy and manual but still it is possible. You cannot find all these steps in a single place anywhere as documented here. So, if you are security concerned to not share your Azure credentials with opensource tools then you can follow below steps.


Start   Azure-AD SSO and capture the SAML response from the browser developer console:  

Google chrome: 

To view a SAML response in chrome 

These steps were tested using version 54.0.2840.87m. If you use another version, you might need to adapt the steps accordingly. 

 

  1. Press F12 to start the developer console. 

  1. Select  the Network tab, and then select Preserve log. 

  1. Reproduce the issue. 

  1. Look for a SAML Post in the developer console pane. Select that row, and then view the Headers tab at the bottom. Look for the SAML Response attribute that contains the encoded request. 



  4. Mozilla Firefox: 

    To view a SAML response in Firefox: 

    This procedure was tested on version 37.0.2 of Mozilla Firefox. If you use another version, you might need to adapt the steps accordingly. 

    1. Press F12 to start the developer console. 

    1. In the upper right of the developer tools window, click options (the small gear icon). Under Common Preferences select Enable persistent logs. 

    1. Select the Network tab. 

    1. Reproduce the issue. 

    1. Look for a POST SAML in the table. Select that row. In the Form Data window on the right, select the Params tab and find the SAML Response element. 

       

      Apple safari: 

      To view a SAML response in safari 

      These steps were tested using version 8.0.6 (10600.6.3). If you use another version, you might need to adapt the steps accordingly. 

       

      1. Enable Web Inspector in Safari. Open the Preferences window, select the Advanced tab, and then select Show  Develop menu in the menu bar. 

      1. Now you can open Web Inspector. Click Develop, then select Show Web Inspector. 

      1. Select the Resources tab. 

      1. Reproduce the issue. 

      1. Look for a saml-signin.aws.amazon.com request. 

      1. Scroll down to find Request Data with the name SAM ResponseThe associated value is the Base64-encoded response. 


        • 1. Now copy the SAML Response. 

        • 2. Issue the following command: 

        • aws sts assume-role-with-saml  

        --role-arn arn:aws:iam::accountID:role/ec2-sso-testingrole   

        --principal-arn arn:aws:iam::accountID:saml-provider/AzureADSSO    

        --saml-assertion (Paste the SAML response) 

          

        • The output will be like: 

        https://signin.aws.amazon.com/saml   https://sts.windows.net/f5530189-fe77  rG876M0Gxfm0iosuJPGPpLT/nJMThuvaragesh@fx.com urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress  

        ASSUMEDROLEUSER  arn:aws:sts::459:assumed-role/ec2-sso-testingrole/Thuvaragesh@fx.com   AROAWV6A57:Thuvaragesh@fx.com 

        CREDENTIALS  ASIAWV 2020-11-23T06:42:56+00:00  1WXbwyA5wzs+v7xMOVvPdgFKq 

        IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJHMEUCIQDWb

      5. F9uz8P5t641wmg9koNHu0UriJ2y3qvD6II33592XwIgIp1w85Q

      6. 7QV7CSRjxGoeMqBEKqX5QFrSkPsTC8+UBPWgqjgMIuP/////

      7. /////ARAAGgw0NTk0MjkyNDc0NTEiDMfzAHiEaUfsMmfvliriAlK

      8. uBnI8Z/P2rENe7N8KivRg7oD1BS1btX/MDTaderimMG54dgtNd

      9. w4SZZmzdSY8a/Klo/z1tlSBLdZ5VsyPEta4a2utrZMBhtM0GznV

      10. JsEnwJttqVwVAqig+dPq2n/K0m6gZnN27ZPVM67nEkJ/nNrVN6

      11. xI1q1Z+v87XhkvBPYvfPz8Bg8ft3ndORLaolNqxmjGpckFGgg4

      12. Uh/rGg3hK4cuCz4CEMC9kZIXUQS9zD6e2dWTddvOo5BY0/+9

      13. ouCDoUMU7HIWgL+84GznsiLcidJKOiFNzkn5TZncXfchrtmZM

      14. V5Hse8LuYFhDKiCYnV0FU0H59Qk7xUO2SLOjIItb8PH9n7rwR

      15. MtCfFH6+R+zZ9eIy43Yo//kPPCiyxZFZOoIyZtPWZvNSizsQvoJh

      16. ATUG34rGcshpTQNmawy8duDIgdvWCNTyeMQyizjuQhM8okZ

      17. RkWdcemvIhjFmksgoaP3CN+UzDsrO39BTqaAQe0R4+YX5D4Z

      18. uBC3nGxEvkOcOk7nLTEvuOlBDmnRtRtk+7mwVggZwW0Umo

      19. bLaN7Swd3ADgTciRJl+RRQyw6JXnU8rqVsJdW7/eaHLXmCPS

      20. NyUykWx3Uy/Na0HajI8NtLn 


      22. 1. Copy the credentials from the above output i.e. acces_key_id, in this case 

        ASIAWV

      23. 2. Copy the  aws_secret_access_key i.e. 

        1WXbwyA5wzs+v7xMOVvPdgFKq in this case after the credentials.

      24. 3. Copy the aws_session_token i.e. the remainings
      25. 4. Now give this command $ aws configure and provide the access_key_id 
        26. and aws_secret_access_key 

               5.  Copy aws_session_token into ~/.aws/credentials file at the end like

          aws_session_token=[$token values]

          6. Now send your instance SSH public to the required EC2 instance with the following command, [ make sure you have configured EC2 instance connect configured for reference: 
          https://hibern8e.blogspot.com/2020/12/ubuntu-ec2-instance-connect-for-cli-ssh.html ]

     7.    aws  ec2-instance-connect send-ssh-public-key \ 

     --instance-id  yourinstanceID \ 

    --availability-zone  yourzone \ 

    --instance-os-user  yourusername \ 

    --ssh-public-key  file://~/.ssh/my_rsa_key.pub 

               

  5. 8. now connect to the instance using the below command

  6. 9. ssh -i ~/.ssh/my_rsa_key.pub ragesh@ip -p port number


Comments

Post a Comment

Popular posts from this blog

Azure AD login for linux and windows(on premise)

Image
                                  Azure AD login for linux and windows(on premise) In this blog I will explain how to login to your on-premise Linux and windows instances using your Azure AD credentials without any need of on-premise AD. First let us see how to do it in ubuntu: For ubuntu we will be using ADAL for nodejs for implementing this. You can get the code from the git-repo here, https://github.com/thuvarageshchiv/adal-for-linux.git  move to your home directory, $ cd ~ $ git clone https://github.com/thuvarageshchiv/adal-for-linux.git $ cd adal-for-linux/adal-auth-ubuntu/aad-login $ ./install.sh  [NAME of YOUR AZURE ACTIVE DIRECTORY] [APP CLIENT ID] Now before running the script we need details of the Azure AD name and native application client ID. To get your directory name just login to Azure active directory and switch to users and select the user for whom the access is needed. The user name has a mail ID like thuvaragesh@ example.com here example.com is your directory name.
Read more

Ubuntu 18.04 no audio error

                                                                   UBUNTU 18.04 NO AUDIO ERROR     I  am posting the fix which worked for me on Ubuntu 18.04. Permanent fix: sudo apt install alsa-tools-gui Run  hdajackretask Parser hints > jack_detect = no Apply now Install boot override Some times you get error while on Apply now like, /sys/class/soynd/hwC0D2/reconfig: device busy then kill the process like  $ sudo pkill pulseaudio Now reboot.
Read more

How to fix Permission denied (publickey). fatal: Could not read from remote repository

                        Fixing p ermission denied Public key and could not pull from remote repository Sometimes all of a sudden your repository throws an error while pulling, the public key was denied and the could not pull from the repository. To fix this we need to run,    $ eval `ssh-agent -s` [ the -s Generate Bourne shell commands on stdout ] Then run the command         $  ssh-add       which will ask for passphrase and once you gave the passphrase it will add your public key to the ssh agent. Now try to pull from the repository and it should work.
Read more