Using Salsa via OIDC to authenticate to AWS

To: debian-cloud@lists.debian.org
Subject: Using Salsa via OIDC to authenticate to AWS
From: Bastian Blank <waldi@debian.org>
Date: Tue, 18 Feb 2020 22:06:32 +0100
Message-id: <[🔎] 20200218210631.phvxswylwweccmeu@shell.thinkmo.de>
Mail-followup-to: debian-cloud@lists.debian.org

Hi folks

Next step in our quest to have usable AWS accounts is user handling.

I looked into the available options.  Those are local account or
federation via SAML or OpenID Connect.  Federation needs both an
external user source and some glue, due to the internal handling in AWS.

Local users work, but require either some sync tool or manual user
setup, and most likely manual password handling.

SAML federation is weird and I found no IdP implementation that allows
proper specification of the required user attributes.

I would like to use OpenID Connect federation against salsa.debian.org
for now.  This needs some glue in form of a small web application I
implemented.[1]

The login is reachable via
https://awsauth.debian.net/

This setup trusts the following services:
- salsa.debian.org for proper authentication and providing group
  information.
- awsauth.debian.net for translating group information into AWS roles.
  It can't change user information, as the used ID token is signed by
  salsa.

Regards,
Bastian

[1]: https://salsa.debian.org/waldi/oidc-aws
-- 
A Vulcan can no sooner be disloyal than he can exist without breathing.
		-- Kirk, "The Menagerie", stardate 3012.4

Reply to:

Prev by Date: Re: cloud images
Next by Date: Processed: tagging 951362
Previous by thread: Thanks a lot: Contacting cloud team for hosting blends.debian.net [Re: Any sponsoring for a VM possible]
Next by thread: Processed: tagging 951362
Index(es):
- Date
- Thread