aws-google-auth

Log in with Google SSO using the specified username IDP and SP identifiers and set the credentials duration to one hour

$ aws-google-auth [[-u|--username]] [example@example.com] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600]

$ aws-google-auth [[-u|--username]] [example@example.com] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600] [[-a|--ask-role]]

$ aws-google-auth [[-u|--username]] [example@example.com] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600] [[-a|--ask-role]] --resolve-aliases

$ aws-google-auth [[-h|--help]]

aws-google-auth [options]

--profile profile_name
    Specifies the AWS CLI profile to configure. If not provided, defaults to 'default'.

--google-email email_address
    Specifies the Google email address to use for authentication. If not provided, the tool will prompt for it.

--region aws_region
    Specifies the AWS region to use. If not provided, it will attempt to read from the AWS CLI configuration or use the default region.

--role-arn arn
    The ARN of the IAM role to assume. This role must be configured to trust the Google identity provider.

--duration-seconds seconds
    The duration, in seconds, that the STS credentials should be valid (default 3600 seconds, maximum 43200 seconds).

--no-browser
    Prevents the tool from automatically opening the browser for authentication. Useful for headless environments. Instead, it will output a URL you can copy and paste into a browser.

--configure-awscli
    Configures the AWS CLI profile with the assumed role credentials. Defaults to true if the flag is present

--client-id client_id
    Google application client ID. Usually provided by environment variable.

--client-secret client_secret
    Google application client secret. Usually provided by environment variable.

--debug
    Enables debug logging.

--version
    Show program's version number and exit

--help
    Show program's help message and exit

The `aws-google-auth` command is a utility that simplifies the process of authenticating the AWS Command Line Interface (CLI) using Google Identity Platform credentials. Instead of managing AWS IAM users and access keys directly, it leverages your existing Google account for authentication. This is particularly useful in environments where centralized identity management is preferred, such as organizations already using Google Workspace. The command handles the OAuth 2.0 flow, retrieves temporary AWS credentials (via AWS STS), and configures the AWS CLI with these credentials, allowing seamless interaction with AWS services from your terminal. The command's underlying purpose is to map a Google identity into the AWS authorization realm without storing long-lived AWS keys on workstation or in the cloud which provides a security benefit by limiting the blast radius if credentials are stolen.

This allows users to access AWS resources using their familiar Google accounts. It avoids the need to create and manage separate IAM users and access keys for each user. The tool simplifies the management of AWS identities with federated user management through Google.

Requires appropriate IAM role and trust policy configuration in AWS. Requires an OAuth client configured in the Google Cloud Console. Ensure the AWS CLI is installed and configured.

The typical workflow involves obtaining OAuth 2.0 credentials from Google, using those credentials to request temporary AWS credentials from AWS STS (Security Token Service) by assuming a pre-configured IAM role, and then configuring the AWS CLI with the temporary credentials.

It's crucial to properly configure the IAM role's trust policy to restrict who can assume it based on Google identity attributes (e.g., email address, Google group membership). Store your Google OAuth 2.0 client ID and client secret securely, ideally as environment variables and not directly in scripts or configuration files. Regularly review and update your IAM role permissions.

aws(1), sts(1)