How to Setup Google SSO and AWS
Internal authentication and authorization is a common challenge for modern organizations. Ensuring only the right users have access to the right things can be a complicated task, especially as user numbers and third-party service consumption expands. At some point, managing unique credentials for every service, across every user, is untenable. Enter single sign-on.
In this article, we will step through the process of leveraging single sign-on to control user access to Amazon Web Services (AWS) resources via Google’s G Suite accounts.
Before we get started, you will need the following tools:
- AWS account keys with administrator access
- Google G Suite administrator access
- AWS CLI tools (https://aws.amazon.com/cli/)
Setup Google G Suite
First, we will need to set up a custom schema element to hold role information for our users. By default, when you map attributes for SAML applications and pass the roles to AWS, you’ll only be able to select from existing attributes of your users. Examples include:
- Job Title
- Cost Center
- Department
I’ve seen other articles that mention putting a single role ARN in one of these, but it’s really not suitable for that information (especially if you use those fields already).
The Solution is to setup a Custom Attribute for your users.
- Open the Schema Insert Page in Google Admin Console
- Enter
my_customer
incustomerId
- To the right of the Request Body, select
FreeForm Editor
from the dropdown list and then paste the following (schemaName should be either SSO or AWS_SAML):
{
"fields":
[
{
"fieldName": "role",
"fieldType": "STRING",
"multiValued": true,
"readAccessType": "ADMINS_AND_SELF"
}
],
"schemaName": "SSO",
}
- Then Click
Authorize and Execute
Setup the Google G Suite SAML Applications for AWS
You’ll need to configure your Google G Suite account as an identity provider (or IdP) for AWS to use.
Google has written some pretty good instructions for this here. Go check them out and run through them on your own. Otherwise, follow the brief instructions below:
- Login into your Google Apps Admin Console
- Head to the
Apps
Section thenSAML Apps
- Click
Add a Service/App to your domain
- Select
Amazon Web Services
- Click the
Download
button next to theIDP Metadata
and save it somewhere for later - (Optional) Change the application Name, description and logo.
- Setup the Service Provider Details
- Make sure the
ACS URL
andEntity ID
are set tohttps://signin.aws.amazon.com/saml
- Also make sure the
Start URL
is blank and theSigned Response
is unchecked. - You’ll want the
Name ID
to be mapped toBasic information: Primary Email
- Set the Attribute mapping up with the following:
1. https://aws.amazon.com/SAML/RoleSessionName: Basic Information: Primary Email
2 .https://aws.amazon.com/SAML/Role : SSO : Role
12. Click Finish
13. Turn the application on, by clicking on the “settings” button, then Turn ON for everyone.
Confirm the dialog when asked.
Setting up the IdP in AWS
You’ll need to tell AWS that you want to use the Google G Suite application you just set up as an IdP. You can do that with the command below:
# aws iam create-saml-provider --saml-metadata-document file://GoogleIDPMetadata-yourdomain.xml --name GoogleAppsProvider
{
"SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}
Make sure you substitute GoogleIDPMetadata-yourdomain.xml
with the path to the IdP metadata file you downloaded earlier.
This will spit out a response with the ARN of the identity provider you created, so make sure you note this down for later.
Create Some Roles
- You’ll need to first craft a Trust Policy document to be used with the roles you’ll create. Create a new file called
GoogleApps_TrustPolicy.json
with the following contents:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<Replace Me with your IdP ARN>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
Make sure you replace <Replace Me with your IdP ARN>
with the ARN of the identity provider you created earlier.
2. Run the following command to create the role. Note down the ARN that is returned as we’ll need it later
# aws iam create-role --role-name GoogleAppsAdminDemo --assume-role-policy-document file://GoogleApps_TrustPolicy.json
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
},
"Principal": {
"Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}
}
]
},
"RoleId": "AROAIYGHGSVXXXXXXXXXX",
"CreateDate": "2016-03-10T12:19:31.177Z",
"RoleName": "GoogleAppsAdminDemo",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo"
}
3. At this stage, I’ve not attached any permissions to the role — you can read how to do that here
Add some roles to your Google G Suite Users:
- Open the Patch Users Page in the Google G Suite Console.
- In the
userKey
put the email address of the user you want to update. - To the right of the Request body, select
Freeform Editor
from the drop down list, and paste the following text (replacing with the appropriate values you’ve collected before):
{
"customSchemas":
{
"SSO":
{
"role": [
{
value: "<role ARN>,<provider ARN>",
customType: "SSO"
}
]
}
}
}
An example my look something like this (with two roles):
{
"customSchemas":
{
"SSO":
{
"role": [
{
value: "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: "SSO"
},
{
value: "arn:aws:iam::123456789012:role/GoogleAppsUserDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: "SSO"
}
]
}
}
}
4. Click Authorize and Execute
Test it out!
Open your Google G Suite account and then select the Amazon Web Services
application. It should redirect you on to a page that lets you select role to login with (only if you created multiple Roles) or just to the AWS Console Homepage (if you created a single role).
Notes:
Some things to note… and these are kinda important.
- Currently, these users can’t get AWS keys for the SSO login user.
- There’s a Amazon script out there that used to work until Google changed how its login page works.
- I haven’t tried AWS STS with this yet.
- I was able to get this working from a long search of random sites using Google.
- If someone gets STS and AWS CLI tokens to work, please email me or even send me a link on how you did it.
- Theres a limit of the number of roles you can have. As google limits custom schema data to 100Kb. I found this to be 5 roles.