AWS.SAML.psm1
|
using module .\AWS.SAML.Browser.psm1 using module .\AWS.SAML.Settings.psm1 using module .\AWS.SAML.Utils.psm1 using module .\AWS.SAML.Profile.psm1 <# .SYNOPSIS Get AWS STS credentials for using in the CLI from a SAML based login. .DESCRIPTION Get AWS STS credentials for using in the CLI from a SAML based login. .EXAMPLE C:\PS> Login-AWSSAML .PARAMETER InitURL The SAML Login Initiation URL. If not passed you will be prompted and it will be saved for future use. .PARAMETER Browser Choose the browser to handle the login process. Options: Chrome, Firefox, Edge, IE Default: Chrome .PARAMETER ProfileName When specified the credentials are saved as an AWS profile under the specified name for use in the CLI .PARAMETER SessionDuration When specified your role session lasts for the specified duration in seconds. By default, the value is set to 3600 seconds. #> function New-AWSSAMLLogin { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Low')] [Alias('Login-AWSSAML','las')] param( [String]$InitURL, [ValidateSet('Chrome', 'Firefox', 'Edge', 'IE')] [String]$Browser = 'Chrome', [Switch]$NoBrowserProfile, [Alias('Profile')] [String]$ProfileName, [Int]$SessionDuration = 3600 ) if ($pscmdlet.ShouldProcess('AWS SAML', 'login')) { if([String]::IsNullOrWhiteSpace($InitURL)){ $InitURL = Get-AWSSAMLURL } # Start Browser for Login $driver = Start-Browser -InitURL $InitURL -Browser $Browser -NoProfile:$NoBrowserProfile # Get SAML Assertion $samlAssertion = Get-SAMLAssertion -Driver $driver # Get Selected Role $consoleData = Get-ConsoleData -Driver $driver # Close Browser $Driver.quit() # Clear Screen Clear-Host # Get Role Details from SAML $arns = Get-SAMLRole -Assertion $samlAssertion -AccountID $consoleData.AccountID -Role $consoleData.Role # Get STS Credentials with SAML $sts = Use-STSRoleWithSAML -PrincipalArn $arns.PrincipalArn -RoleArn $arns.RoleArn -SAMLAssertion $samlAssertion -DurationInSeconds $SessionDuration # Store Credentials for use if($ProfileName){ # Store in Profile Set-AWSProfile -ProfileName $ProfileName -AccessKeyId $sts.Credentials.AccessKeyId -SecretAccessKey $sts.Credentials.SecretAccessKey -SessionToken $sts.Credentials.SessionToken -AccountID $consoleData.AccountID -Role $consoleData.Role -SessionDuration $SessionDuration }else{ # Store in Environment Variable Add-AWSSTSCred -STS $sts } # Output Console Data return [PSCustomObject]@{ Account = $consoleData.Alias AccountID = $consoleData.AccountID User = $consoleData.Name Role = $consoleData.Role Expires = $sts.Credentials.Expiration } } } <# .SYNOPSIS Update saved profiles with new STS Credentials from SAML based login. .DESCRIPTION Update saved profiles with new STS Credentials from SAML based login. Must have previously saved profiles using `New-AWSSAMLLogin -Profile <name>` .EXAMPLE C:\PS> Update-AWSSAMLLogin .PARAMETER InitURL The SAML Login Initiation URL. If not passed you will be prompted if an existing Initiation URL is not found. .PARAMETER Browser Choose the browser to handle the login process. Options: Chrome, Firefox, Edge, IE Default: Chrome .PARAMETER ProfileName When specified the credentials are saved as an AWS profile under the specified name for use in the CLI .PARAMETER SessionDuration When specified your role session lasts for the specified duration in seconds. By default, the value is set to 3600 seconds. #> function Update-AWSSAMLLogin { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Low')] [Alias('Update-AWSSAML','uas')] param( [String]$InitURL, [ValidateSet('Chrome', 'Firefox', 'Edge', 'IE')] [String]$Browser = 'Chrome', [Alias('Profile')] [String]$ProfileName, [Int]$SessionDuration ) if ($pscmdlet.ShouldProcess('AWS SAML', 'update')) { if([String]::IsNullOrWhiteSpace($InitURL)){ $InitURL = Get-AWSSAMLURL } # Start Browser for Login $driver = Start-Browser -InitURL $InitURL -Browser $Browser -Headless # Get SAML Assertion # TODO: Implement timeout and relaunch of non headless browser for authentication issue detection $samlAssertion = Get-SAMLAssertion -Driver $driver # Close Browser $Driver.quit() # Renew each valid profile if($ProfileName){ $profiles = Get-AWSProfile -ProfileName $ProfileName }else{ $profiles = Get-AWSProfile } foreach ($profile in $profiles) { if($profile.AccountID -ne '' -and $profile.Role -ne ''){ Write-Output "Updating Profile $($profile.Name)" # Get Role Details from SAML $arns = Get-SAMLRole -Assertion $samlAssertion -AccountID $profile.AccountID -Role $profile.Role if($arns){ # Allow passed in duration to override profile settings if(!($SessionDuration)){ $SessionDuration = $profile.Duration } # Get STS Credentials with SAML $sts = Use-STSRoleWithSAML -PrincipalArn $arns.PrincipalArn -RoleArn $arns.RoleArn -SAMLAssertion $samlAssertion -DurationInSeconds $SessionDuration # Update Profile Set-AWSProfile -ProfileName $profile.Name -AccessKeyId $sts.Credentials.AccessKeyId -SecretAccessKey $sts.Credentials.SecretAccessKey -SessionToken $sts.Credentials.SessionToken -AccountID $profile.AccountID -Role $profile.Role -SessionDuration $profile.Duration } } } } } |