zsh-saml2aws
oh-my-zsh plugin for saml2aws
Installation
Prerequisites
You do need the following installed. These are OSX defaults, so this should be no surprise.
- python (2 or 3)
- curl
oh-my-zsh
This plugin is intended to be used with oh-my-zsh
$ cd ~/.oh-my-zsh/custom/plugins(you may have to create the folder)$ git clone git@github.com:onyxraven/zsh-saml2aws.git- In your .zshrc, add
zsh-saml2awsto your oh-my-zsh plugins:
plugins=(
git
ruby
zsh-saml2aws
)
zgen
- add
zgen load onyxraven/zsh-saml2awsto your '!saved/save' block zgen update
Features
This plugin is pretty simple - it provides:
- aliases
Aliases
| Alias | parameters | description |
|---|---|---|
| sa | saml2aws command shortcut alias | |
| sal | login to IDP (skips prompts by default) | |
| sae | \ |
execute a command as the profile |
| sash | \ |
open a shell as the profile |
| salr | list roles available to login as | |
| sac | Open a browser to the logged in AWS console | |
| said | output of aws sts get-caller-identity for assumed role (\$profile optional) |
saml2aws configuration
| ENV var | example | information |
|---|---|---|
| SAML2AWSLOGINSESSION_DURATION | 43200 | Length of time (seconds) the "root" federation session is available. This can be up to 12 hours. |
| SAML2AWSSESSIONDURATION | 3600 | Length of time (seconds) the role assume session is available. This will always be <= 1 hour. |
| SAML2AWS_MFA | OLP | Name of the MFA device to use. When unspecified, you will be prompted if there are many, and that is the string to put here. OneLogin Protect for example |
| SAML2AWS_ROLE | arn:aws:iam::$ID:role/$ROLE | ARN of the role to federate to. When unspecified, you will be prompted if there are many. |
| SAML2AWS_PROFILE | saml | aws cli profile (in ~/.aws/config) to use. saml by default. |
| SAML2AWS_URL | https://api.us.onelogin.com | http url to IDP, OneLogin for example. |
script helper configuration
| ENV var | example | information |
|---|---|---|
| AWSDEFAULTREGION | us-east-1 | Default console region |
| SAML2AWSPLBROWSER | com.google.chrome | set the browser opened for sac. By default will use your system default browser if available. |
sac - console login in private browsing window
This alias is currently only supported in OSX.
This alias will open a new browser window after getting the temporary login URL for your federated login.
You can specify a specific browser to handle your login URL by setting SAML2AWS_PL_BROWSER to the bundle name of the
browser. By default, it will pick your default URL handler in MacOS. It supports the following browsers:
SAML2AWS_PL_BROWSER value |
Browser | Description |
|---|---|---|
org.mozilla.firefox |
Firefox | Creates and/or opens a profile with the same name as your aws-vault profile. This allows for multiple profiles to be open simultaneously. |
com.google.chrome |
Chrome | Opens a new private browsing window for the session. This allows for multiple profiles to be open simultaneously. |
TODO
- [ ] list exec-profile names available (via ~/.aws/config)
- [ ] login url to get directly to an assumed role
- at least, to the 'share' url. must parse profile (python?)
- [ ] exec without exec-profile ?
- [ ] prompt segment
- [ ] replace curl with python? or replace python.
Thanks
- Inspired by zsh-aws-vault