From Customer account
Note: To perform a "Dry Run" (Change Set), include the --no-execute-changeset flag as shown below. Remove it when you are ready to create the resources.
if you have the xml locally :
samlMetadata="$(cat GoogleIDPMetadata-newcert.xml)"
aws cloudformation deploy \
--template-file main.yml \
--stack-name nmd-saml-idp \
--no-execute-changeset \
--parameter-overrides \
idpName="NMDGoogle" \
samlMetadata="YOUR_SAML_METADATA_XML_AS_STRING" \
custNameAbbreviation="customer_name" \
accessPolicy="AdministratorAccess" \
--capabilities CAPABILITY_NAMED_IAM \
--region us-west-2The accessPolicy parameter allows you to select from several AWS Managed Policies for Job Functions. This ensures that NMD engineers have the appropriate level of access for their specific task.
| Option | AWS Managed Policy ARN | Description |
|---|---|---|
| AdministratorAccess | AdministratorAccess | Full access to all resources. |
| PowerUserAccess | PowerUserAccess | Full access except for IAM and Organizations. |
| SecurityAudit | SecurityAudit | For security auditing and compliance monitoring. |
| ReadOnlyAccess | ReadOnlyAccess | View-only access to all resources. |
| SystemAdministrator | SystemAdministrator | Operations and resource maintenance. |
| Billing | Billing | Access to billing and cost management. |
- Navigate to a user profile https://admin.google.com/ac/users/
- Add the following to the Amazon section (replace placeholders with your deployment values): arn:aws:iam::{AWS_ACCOUNT_NUMBER}:role/NMD-{accessPolicy}-{custNameAbbreviation},arn:aws:iam::{AWS_ACCOUNT_NUMBER}:saml-provider/{idpName}
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
The SAML roles installed also work with AWS CLI credentials. We use saml2aws:
brew install saml2aws
saml2aws configure
Configuration saved for IDP account: default
saml2aws configure
? Please choose a provider: GoogleApps
? AWS Profile saml
? URL https://accounts.google.com/o/saml2/initsso?idpid=C03vzt6hn&spid=804580507359&forceauthn=false
? Username cking@newmathdata.com
? Password ***************
? Confirm ***************
account {
URL: https://accounts.google.com/o/saml2/initsso?idpid=C03vzt6hn&spid=804580507359&forceauthn=false
Username: cking@newmathdata.com
Provider: GoogleApps
MFA: Auto
SkipVerify: true
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 3600
Profile: saml
RoleARN:
Region:
}
saml2aws login
Using IdP Account default to access GoogleApps https://accounts.google.com/o/saml2/initsso?idpid=C03vzt6hn&spid=804580507359&forceauthn=false
To use saved password just hit enter.
? Username cking@newmathdata.com
? Password
Authenticating as cking@newmathdata.com ...
Check your phone and tap 'Yes' on the prompt. Then press ENTER to continue.
? Please choose the role Account: 12345678901 / NMD-Admin
Selected role: arn:aws:iam::12345678901:role/NMD-Admin
Requesting AWS credentials using SAML assertion.
Logged in as: arn:aws:sts::12345678901:assumed-role/NMD-Admin/cking@newmathdata.com
Your new access key pair has been stored in the AWS configuration.
Note that it will expire at 2024-11-18 11:43:24 -0800 PST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).