{"id":550,"date":"2017-05-04T17:52:44","date_gmt":"2017-05-04T15:52:44","guid":{"rendered":"https:\/\/blog.besharp.it\/creative-idea-single-sign-on-with-g-suite-for-development-clients\/"},"modified":"2021-03-29T16:26:42","modified_gmt":"2021-03-29T14:26:42","slug":"creative-idea-single-sign-on-with-g-suite-for-development-clients","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/creative-idea-single-sign-on-with-g-suite-for-development-clients\/","title":{"rendered":"Creative idea: Single-sign-on with G Suite for development clients!"},"content":{"rendered":"

In the\u00a0last article<\/strong><\/a>, we discussed how to use corporate G Suite accounts to log in via\u00a0Single-Sign-On<\/strong>\u00a0on the\u00a0Amazon Web Services<\/strong>\u00a0web console.<\/p>\n

Access to the web console only covers some of the needs of people who work with AWS every day. In particular, developers and DevOps almost always require an\u00a0access key\/secret key pair<\/strong><\/a>\u00a0on their PCs to use the\u00a0AWS CLI<\/strong><\/a>, to call single AWS APIs (such as the ones for new AI services such as\u00a0Rekognition <\/strong><\/a>and\u00a0<\/strong>Lex<\/strong><\/a>), and to be able to use all the desktop applications (for example, the various file managers based on S3\u200a\u2014\u200asuch as the excellent\u00a0CloudBerry File Explorer<\/strong><\/a>, or Git clients for using\u00a0CodeCommit<\/strong><\/a>) which in turn use the AWS APIs.<\/p>\n

Access keys and secret keys are\u00a0not directly bound to one IAM role<\/strong> (whose use through the AssumeRole API we have already seen to be security best practice) but\u00a0require a dedicated IAM user<\/strong>, which would make it pointless to assume an AWS role with centralised credentials.<\/p>\n

With no way around it, this limitation required a somewhat creative solution, and so we at\u00a0beSharp came up with beAuth.<\/strong><\/p>\n

\n
\n
\n
\"\"
At startup, the program shows the G Suite login screen (which may be associated with Google\u2019s two-factor authentication)<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/figure>\n

beAuth is a small piece of software that can be installed as an agent within the operating system and which uses G Suite\u2019s credentials and the\u00a0SAML protocol<\/strong>-based SSO mechanism (which we saw in the previous article) to generate temporary access key\/secret key pairs that are linked to the assumed IAM role and that are rotated at predetermined intervals (typically 1 hour) within the configuration of the AWS CLI. By using this, in addition to the CLI itself, all the services that rely on it can access AWS resources by temporarily inheriting the permissions of the assumed role, without the need for a dedicated IAM user.<\/p>\n

\n
\n
\n
\"\"
beAuth\u2019s control panel shows the session information (which lasts 12 hours by default) and the validity period of the access\/secret key pair (which expires after one hour), identifies the user who is logged in, the IAM role assumed, and the keys that are active at any given moment. The active key is configured automatically by default in the AWS CLI<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/figure>\n

Furthermore, since one IAM role can be even assumed\u00a0cross-account<\/strong>\u00a0with the same G Suite credentials (properly configured), access\/secret key pairs can be obtained for different accounts,\u00a0which is an extremely useful solution should the company have multiple AWS accounts<\/strong>\u00a0(such as test\u200a\u2014\u200astaging\u200a\u2014\u200aproduction) or in the event that you administrate multiple AWS accounts on behalf of several clients.<\/p>\n

For all software that does not rely on CLI but needs access\/secret key pairs to be directly inserted,\u00a0beAuth allows you to generate disposable pairs<\/strong> that last up to 1 hour and can be manually inserted as needed for individual calls or working sessions.<\/p>\n

\n
\n
\n
\"\"
These keys can be regenerated as needed and copied and pasted into any third-party application<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<\/figure>\n

There are many advantages to this solution:<\/p>\n