github.com/versent/saml2aws@v2.17.0+incompatible/doc/provider/jumpcloud/README.md (about) 1 # saml2aws Documentation for JumpCloud 2 3 Instructions for setting up single sign on (SSO) with Amazon AWS using 4 [JumpCloud][1] and [saml2aws][2]. 5 6 --- 7 8 [](TOC) 9 10 - [JumpCloud Single Sign On (SSO) with Amazon AWS in IAM](#jumpcloud-single-sign-on-sso-with-amazon-aws-in-iam) 11 - [Generate a public certificate and private key pair](#generate-a-public-certificate-and-private-key-pair) 12 - [Configure the new application in JumpCloud](#configure-the-new-application-in-jumpcloud) 13 - [Configure the new application in AWS](#configure-the-new-application-in-aws) 14 - [Assign the new application to groups](#assign-the-new-application-to-groups) 15 - [AWS Management Console access](#aws-management-console-access) 16 - [AWS programmatic access](#aws-programmatic-access) 17 - [Configure ](#configure-) 18 - [Login ](#login-) 19 - [Use](#use) 20 21 [](TOC) 22 23 --- 24 25 ## JumpCloud Single Sign On (SSO) with Amazon AWS in IAM 26 27 Based on the [instructions from JumpCloud][3], we'll setup administrative access 28 for our production AWS account. We can then grant this access to our operations 29 team. We will eventually want to setup administrative access for our other 30 accounts (dev, test, staging, etc) as well as access for additional roles: 31 32 * We may want to grant our accounts payable team the access they need to pay 33 our AWS bill on each of our accounts 34 * We may want to give our developers the ability to manage ec2 resources on our 35 non-production accounts 36 37 ### Generate a public certificate and private key pair 38 39 Based on the [instructions from JumpCloud][4], we'll generate a public 40 certificate and private key pair for administrative access to our production 41 AWS account. 42 43 Create `production.cnf`: 44 45 ``` 46 #################################################################### 47 [ ca ] 48 default_ca = CA_default 49 50 #################################################################### 51 [ CA_default ] 52 default_days = 1095 53 54 #################################################################### 55 [ req ] 56 default_md = SHA256 57 prompt = no 58 encrypt_key = no 59 distinguished_name = req_distinguished_name 60 61 [req_distinguished_name] 62 countryName = "US" 63 stateOrProvinceName = "New Jersey" 64 localityName = "Fairfield" 65 organizationName = "Acme Corporation" 66 organizationalUnitName = "Acme Rocket-Powered Products, Inc." 67 commonName = "production" 68 ``` 69 70 Create the key: 71 72 ```bash 73 openssl genrsa -out production.key 2048 74 ``` 75 76 Create the certificate for the key: 77 78 ```bash 79 openssl req -new -x509 \ 80 -key production.key \ 81 -out production.crt \ 82 -config production.cnf 83 ``` 84 85 Store the configuration file, the key, and the certificate someplace safe. 86 87 > We currently use an [encrypted team repository from Keybase][5] to store our 88 > credentials and share them with the appropriate team. 89 90 ### Configure the new application in JumpCloud 91 92 As described in JumpCloud's [documentation][3], add a new AWS application and 93 configure it. 94 95 Suggestions: 96 97 * Set `https://aws.amazon.com/SAML/Attributes/SessionDuration` to something 98 that makes sense for your organization 99 * We generally create a read-only role and a full role so that users can log 100 into the read-only role most of the time and then log into the full role when 101 they need to 102 * IDP URL can't be changed once it's configured... Make sure it's a good and 103 descriptive 104 105 ### Configure the new application in AWS 106 107 As described in JumpCloud's [documentation][3], configure AWS to match what you 108 did in JumpCloud. 109 110 ### Assign the new application to groups 111 112 Configure groups that should have access to the new application in JumpCloud. 113 114 ## AWS Management Console access 115 116 This is easy. Just log in as one of the users in the group(s) that have access 117 to the new application. You'll see the new application when you log in, select 118 it and you will be taken to AWS and logged in. If you configured multiple 119 roles, you will be asked to choose which role to use. 120 121 ## AWS programmatic access 122 123 This assumes that you already have [saml2aws][2] installed. 124 125 ### Configure 126 127 Configure your application(s) with `saml2aws`. For example: 128 129 ```bash 130 saml2aws configure \ 131 --idp-account='production' \ 132 --idp-provider='JumpCloud' \ 133 --mfa='Auto' \ 134 --url='https://sso.jumpcloud.com/saml2/acme-prod-aws-admin' \ 135 --username='road.runner@the-acme-corporation.com' \ 136 --role='arn:aws:iam::012345678987:role/AcmeJumpCloudAdminRO' \ 137 --skip-prompt 138 ``` 139 140 > Here we used the IDP URL from above and we set the default role to be the 141 > read-only role that we suggested above. 142 143 This creates (or modifies) `${HOME}/.saml2aws`. You can log in there and make 144 any additional changes as needed. 145 146 > There wasn't an option for `configure` to set the AWS profile so I edited 147 > `${HOME}/.saml2aws` to setup the profile to point to `production`. This 148 > allows me to configure `${HOME}/.aws/config`: 149 150 ``` 151 [default] 152 output = json 153 region = us-east-1 154 155 [profile production] 156 region = us-east-2 157 ``` 158 159 ### Login 160 161 Command: 162 163 ```bash 164 saml2aws login -a production 165 ``` 166 167 Result: 168 169 ``` 170 Using IDP Account production to access JumpCloud https://sso.jumpcloud.com/saml2/acme-prod-aws-admin 171 To use saved password just hit enter. 172 ? Username road.runner@the-acme-corporation.com 173 ? Password ********************************** 174 175 Authenticating as road.runner@the-acme-corporation.com ... 176 ? MFA Token 987654 177 Selected role: arn:aws:iam::012345678987:role/AcmeJumpCloudAdminRO 178 Requesting AWS credentials using SAML assertion 179 Logged in as: arn:aws:iam::012345678987:role/AcmeJumpCloudAdminRO/road.runner@the-acme-corporation.com 180 181 Your new access key pair has been stored in the AWS configuration 182 Note that it will expire at 2019-01-30 16:29:35 -0700 MST 183 To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile production ec2 describe-instances). 184 ``` 185 186 This creates a temporary credential in `${HOME}/.aws/credentials` 187 188 ### Use 189 190 Traditional: 191 192 ```bash 193 aws --profile production s3 ls 194 ``` 195 196 Using `saml2aws exec`: 197 198 ```bash 199 saml2aws exec -a production -- aws s3 ls 200 201 saml2aws exec -a production -- terraform plan 202 saml2aws exec -a production -- terraform apply 203 204 saml2aws exec -a production -- env | grep AWS 205 ``` 206 207 [1]: https://jumpcloud.com/ 208 [2]: https://github.com/Versent/saml2aws 209 [3]: https://support.jumpcloud.com/customer/portal/articles/2384088-single-sign-on-sso-with-amazon-iam 210 [4]: https://jumpcloud.desk.com/customer/en/portal/articles/2775691#authorize#certs 211 [5]: https://keybase.io/blog/encrypted-git-for-everyone