On Tue, 2020-02-18 at 22:06 +0100, Bastian Blank wrote: > Hi folks > > Next step in our quest to have usable AWS accounts is user handling. > > I looked into the available options. Those are local account or > federation via SAML or OpenID Connect. Federation needs both an > external user source and some glue, due to the internal handling in > AWS. > > Local users work, but require either some sync tool or manual user > setup, and most likely manual password handling. > > SAML federation is weird and I found no IdP implementation that > allows > proper specification of the required user attributes. > > I would like to use OpenID Connect federation against > salsa.debian.org > for now. This needs some glue in form of a small web application I > implemented.[1] > > The login is reachable via > https://awsauth.debian.net/ > > This setup trusts the following services: > - salsa.debian.org for proper authentication and providing group > information. > - awsauth.debian.net for translating group information into AWS > roles. > It can't change user information, as the used ID token is signed by > salsa. > > Regards, > Bastian > > [1]: https://salsa.debian.org/waldi/oidc-aws Thanks. I just checked it and it worked - was able to log in to AWS console and see some things. Was not able to do much, but it's great start. Best regards. -- Tomasz Rybak, Debian Developer <serpent@debian.org> GPG: A565 CE64 F866 A258 4DDC F9C7 ECB7 3E37 E887 AA8C
Attachment:
signature.asc
Description: This is a digitally signed message part