How to Setup Google SSO and AWS

Internal authentication and authorization is a common challenge for modern organizations. Ensuring only the right users have access to the right things can be a complicated task, especially as user numbers and third-party service consumption expands. At some point, managing unique credentials for every service, across every user, is untenable. Enter single sign-on.

In this article, we will step through the process of leveraging single sign-on to control user access to Amazon Web Services (AWS) resources via Google’s G Suite accounts.

Before we get started, you will need the following tools:

  • AWS account keys with administrator access
  • Google G Suite administrator access
  • AWS CLI tools (https://aws.amazon.com/cli/)

Setup Google G Suite

First, we will need to set up a custom schema element to hold role information for our users. By default, when you map attributes for SAML applications and pass the roles to AWS, you’ll only be able to select from existing attributes of your users. Examples include:

  • Job Title
  • Cost Center
  • Department

I’ve seen other articles that mention putting a single role ARN in one of these, but it’s really not suitable for that information (especially if you use those fields already).

The Solution is to setup a Custom Attribute for your users.

  • Open the Schema Insert Page in Google Admin Console
  • Enter my_customer in customerId
  • To the right of the Request Body, select FreeForm Editor from the dropdown list and then paste the following (schemaName should be either SSO or AWS_SAML):
{
"fields":
[
{
"fieldName": "role",
"fieldType": "STRING",
"multiValued": true,
"readAccessType": "ADMINS_AND_SELF"
}
],
"schemaName": "SSO",
}
  • Then Click Authorize and Execute

Setup the Google G Suite SAML Applications for AWS

You’ll need to configure your Google G Suite account as an identity provider (or IdP) for AWS to use.

Google has written some pretty good instructions for this here. Go check them out and run through them on your own. Otherwise, follow the brief instructions below:

  1. Login into your Google Apps Admin Console
  2. Head to the Apps Section then SAML Apps
  3. Click Add a Service/App to your domain
  4. Select Amazon Web Services
  5. Click the Download button next to the IDP Metadata and save it somewhere for later
  6. (Optional) Change the application Name, description and logo.
  7. Setup the Service Provider Details
  8. Make sure the ACS URL and Entity ID are set to https://signin.aws.amazon.com/saml
  9. Also make sure the Start URL is blank and the Signed Response is unchecked.
  10. You’ll want the Name ID to be mapped to Basic information: Primary Email
  11. Set the Attribute mapping up with the following:

1. https://aws.amazon.com/SAML/RoleSessionName: Basic Information: Primary Email

2 .https://aws.amazon.com/SAML/Role : SSO : Role

12. Click Finish

13. Turn the application on, by clicking on the “settings” button, then Turn ON for everyone.Confirm the dialog when asked.

Setting up the IdP in AWS

You’ll need to tell AWS that you want to use the Google G Suite application you just set up as an IdP. You can do that with the command below:

# aws iam create-saml-provider --saml-metadata-document file://GoogleIDPMetadata-yourdomain.xml --name GoogleAppsProvider
{
"SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}

Make sure you substitute GoogleIDPMetadata-yourdomain.xml with the path to the IdP metadata file you downloaded earlier.

This will spit out a response with the ARN of the identity provider you created, so make sure you note this down for later.

Create Some Roles

  1. You’ll need to first craft a Trust Policy document to be used with the roles you’ll create. Create a new file called GoogleApps_TrustPolicy.json with the following contents:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<Replace Me with your IdP ARN>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}

Make sure you replace <Replace Me with your IdP ARN> with the ARN of the identity provider you created earlier.

2. Run the following command to create the role. Note down the ARN that is returned as we’ll need it later

# aws iam create-role --role-name GoogleAppsAdminDemo --assume-role-policy-document file://GoogleApps_TrustPolicy.json
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
},
"Principal": {
"Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}
}
]
},
"RoleId": "AROAIYGHGSVXXXXXXXXXX",
"CreateDate": "2016-03-10T12:19:31.177Z",
"RoleName": "GoogleAppsAdminDemo",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo"
}

3. At this stage, I’ve not attached any permissions to the role — you can read how to do that here

Add some roles to your Google G Suite Users:

  1. Open the Patch Users Page in the Google G Suite Console.
  2. In the userKey put the email address of the user you want to update.
  3. To the right of the Request body, select Freeform Editor from the drop down list, and paste the following text (replacing with the appropriate values you’ve collected before):
{
"customSchemas":
{
"SSO":
{
"role": [
{
value: "<role ARN>,<provider ARN>",
customType: "SSO"
}
]
}
}
}

An example my look something like this (with two roles):

{
"customSchemas":
{
"SSO":
{
"role": [
{
value: "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: "SSO"
},
{
value: "arn:aws:iam::123456789012:role/GoogleAppsUserDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
customType: "SSO"
}
]
}
}
}

4. Click Authorize and Execute

Test it out!

Open your Google G Suite account and then select the Amazon Web Servicesapplication. It should redirect you on to a page that lets you select role to login with (only if you created multiple Roles) or just to the AWS Console Homepage (if you created a single role).

Notes:

Some things to note… and these are kinda important.

  1. Currently, these users can’t get AWS keys for the SSO login user.
  2. There’s a Amazon script out there that used to work until Google changed how its login page works.
  3. I haven’t tried AWS STS with this yet.
  4. I was able to get this working from a long search of random sites using Google.
  5. If someone gets STS and AWS CLI tokens to work, please email me or even send me a link on how you did it.
  6. Theres a limit of the number of roles you can have. As google limits custom schema data to 100Kb. I found this to be 5 roles.
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.