aws-google-auth

Authenticate and get AWS credentials using Google SSO

$ aws-google-auth

$ aws-google-auth -p [profile-name]

$ aws-google-auth -I [google-idp-id] -S [google-sp-id] -u [user@domain.com]

$ aws-google-auth -R [arn:aws:iam::account:role/role-name]

$ aws-google-auth -d [3600]

$ GOOGLE_USERNAME=[user@domain.com] GOOGLE_IDP_ID=[abc123] GOOGLE_SP_ID=[xyz789] aws-google-auth

aws-google-auth [-h] [-u username] [-I idp-id] [-S sp-id] [-R role-arn] [-d duration] [-p profile]

aws-google-auth is a command-line tool that acquires AWS temporary (STS) credentials using Google Workspace (formerly G Suite) as a federated SAML identity provider. It enables single sign-on (SSO) from Google accounts to AWS.
The tool authenticates against Google, retrieves a SAML assertion, and exchanges it for AWS temporary credentials stored in the AWS credentials file. It supports MFA including TOTP and U2F security keys.

-u, --username

Google account email address

Google Identity Provider ID

Google Service Provider ID for AWS

AWS IAM role ARN to assume

Credential duration in seconds (default: 3600)

AWS profile name to store credentials

Prompt for role selection even if only one available

Disable caching of IDP and SP IDs

Requires SAML SSO configuration between Google Workspace and AWS IAM. U2F security keys do not work in Docker containers due to USB device access limitations. The Google IDP and SP IDs must be obtained from the Google Admin console under SAML Apps settings.

Created by Cevo Australia as an open-source tool to bridge Google Workspace authentication with AWS. First released around 2017 to address the need for Google-based SSO to AWS accounts. Available via PyPI and Docker Hub.

aws(1), aws-sts(1), saml2aws(1)