Active Directory資産を活用したAWS API認証
はじめに
藤本です。
Active Directory資産活用シリーズです。 過去に2回、オンプレミスにあるActive Directory資産を活用したManagement Consoleへシングルサインオンする方法をご紹介しました。
第一回 : Active Directory資産を活用したAWS Management ConsoleへのSSO 第二回 : Active Directory資産を活用したAWS Management ConsoleへのSSO(AD Connector編)
AWSを利用する時、Management ConsoleからのGUI操作だけでよいでしょうか?そうですよね。API操作もしたいですよね。
ということで今回はActive Directoryでユーザー認証し、API操作する方法をご紹介します。
概要
AWSにAPIを発行する時の認証方法は大きく以下の2パターンがあります。
- AccessKeyId + SecretAccessKey
- AccessKeyId + SecretAccessKey + SecurityToken
前者は永続的なキーとなり、後者は一時的なキーとなります。今回の方法は後者となり、ADFSから発行されたSAML ResponseをSTSに渡すことで、一時的な認証情報(AccessKeyId、SecretAccessKey、SecurityToken)を受け取ることができます。
以下のような流れとなります。
- Client -> ADFS (ユーザー認証リクエスト)
- ADFS -> AD (ユーザー認証)
- AD -> ADFS (認証結果)
- ADFS -> Client (SAML Response)
- Client -> STS Endpoint (SAML ResponseでAssumeRole)
- STS Endpoint -> Client (Temporary Security Credential)
- ClientからのAPI発行!!
環境
接続元 : オンプレミス(自宅)
- AD OS : Windows Server 2012R2 ミドルウェア : Active Directory ドメインサービス、DNSサーバー ADドメイン : fujimoto-home.local 利用するADアカウント : sfujimoto (所属グループ : AWS-developer、メールアドレス : [email protected])
-
ADFS OS : Windows Server 2012R2 ミドルウェア : Active Directory Federation Services
やってみた
設定
ADFS、AWSのSAML認証の設定は過去のエントリをご参照ください。
Active Directory資産を活用したAWS Management ConsoleへのSSO
SAML Response発行
ADFSに対してHTTPリクエストを発行することでSAML Responseを発行することができます。inputタグのValueがSAML ResponseがBase64エンコードされた値となります。AWSにはこのまま引き渡すのでコピーしてください。
# curl -ks -c cookies.txt -d 'Username=@&Password=&AuthMethod=FormsAuthentication' -X POST "https:///adfs/ls/idpinitiatedsignon/?loginToRp=urn:amazon:webservices" # curl -ks -L -c cookies.txt -b cookies.txt -X GET "https:///adfs/ls/idpinitiatedsignon/?loginToRp=urn:amazon:webservices" <form action="https://signin.aws.amazon.com:443/saml" method="POST" name="hiddenform"><input name="SAMLResponse" type="hidden" value="PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=" /><noscript> スクリプトが無効です。続けるには、[送信] をクリックしてください。 <input type="submit" value="Submit" /></noscript> </form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
もちろんbase64ですのでデコードすることが可能です。
# echo "PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=" |base64 -D http:///adfs/services/trusthttp:///adfs/services/trustkfjynNPjZXGhh84eBBQh06aWDJpo7pdjAIirN6E67s4=Sf4+nm5zVv8KMPaJw9Y3MhX3rRWRDpUkTHZTV6l20dnhzNYrts3HyS7Kmw2ihwddX112IdFTQMZ/HrZhLdkKNImZNQCrJDuY4MGQwEt/kE3KZz6IP4uSLlKbKoUe63+4oIJQMvMnre0x4/khvrZFzfP2r+HdOh7JBAntbO6kZEeKZj/H6kBMp42j3hpA4W0UAtDtYkAsvQl3nuiT4OvZI8QsCbrRZ3odS1kGqBLlWabYuhCLt3MF0LdQ2eTxAp4ORjTOhkpbbA26X//vUOftKlvQ4FSw8MZj8DlvQzjVZoz0EwCE57/UFWPL8vjpBqHuG/DzqV5nmq4mvJnGIYvkXw==MIIC7DCCAdSgAwIBAgIQVxCQeF5xzoFGO0Lo779sdjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBhZGZzLmZ1amltb3RvLWhvbWUubG9jYWwwHhcNMTUwODE5MTUxMjM1WhcNMTYwODE4MTUxMjM1WjAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBhZGZzLmZ1amltb3RvLWhvbWUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJoAv3zKf3erfpzbuBsnmlj223OxHhECVLf4+dOX/YISmm0MMDqmXE51MfmSC29icwgk8HR1d4JHVGfM3OY+EhpFEmS+2dYop42ApGlygcVl5FsQTJYoYbh6uvD2g03WRAGEm/pHtsAbh09pn+/gJqyeVeCMG4hchw+7wYDvMmf99+dIOmQepun15SSWuZaba9yZtP78fjhgpRC4DIUQqBjgT9Ln6n3f4nZT13EqGppV3hwGdzgocMVVjNIWdVFkh1JB3JXJLKz0RYlpyTL3p6UCdscugCju69TG/sGxuJplVuj1t+oz0rinXGM8cYuhSuY/xGLwFf9w3Bq1hQx17AaMBAAEwDQYJKoZIhvcNAQELBQADggEBACAcx3BZmAmCpEwojUbMmvN5rdOwV0HPIxP1UujgP46LWkl/7AmUgiAi+LTesfTq7Q5bOJdpJzbC2uszRCg81bGBZJfRIOffu6jfuXJ/OP4bYlsPyTuzO4wNxaqiLMqQFIV8cbYuBUHENWLUHfLGAuj0w1y3cTuGsCqV6MEtY+2iTZCOEFMrw4WnUFSOH2yHjM8WWdHrpXP3+qYY4mOHiKy0RsAFKzURRP1VOEDJEXy2pOqZFzAp1Px8dhEMnwUg3TLI9UPndxfVs3AfxJYIzcq02fV4GNLA9Po/a6esrNCo2kMbPeArUWgV5F/h9IVcU5xsiLZEgHJOqQfuolgeykc=FUJIMOTO-HOME\sfujimotourn:amazon:[email protected]:aws:iam::000000000000:saml-provider/fujimoto-home, arn:aws:iam::000000000000:role/ADFS-developerurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
このようにSAML ResponseはAssertion IDやClaim Ruleの結果が含まれます。
一時的な認証情報発行
AWS STS APIのAssumeRoleWithSamlを利用して、一時的な認証情報を発行します。 オプションにRoleARN、SAMLProviderARN、SAML Responseを与えます。
# aws sts assume-role-with-saml --role-arn arn:aws:iam::000000000000:role/ADFS-developer --principal-arn arn:aws:iam::000000000000:saml-provider/fujimoto-home --saml-assertion "PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=" { "Audience": "https://signin.aws.amazon.com/saml", "NameQualifier": "j8KnghRbguhf/c+FfoMsluk8ke0=", "AssumedRoleUser": { "Arn": "arn:aws:sts::00000000:assumed-role/ADFS-developer/[email protected]", "AssumedRoleId": "AROAJ55S34ROZ6QCWKYFS:[email protected]" }, "Subject": "FUJIMOTO-HOME\\sfujimoto", "Credentials": { "Expiration": "2015-09-24T15:44:35Z", "SessionToken": "AQoDYXdzEBgagAMBsEgf5oDM+LG4prWyRUk/FNRcoWo8paEaz1wLjRZs8NALJ/6RiVUPZQW1jkhJsDe2e1cY8GsNfE645bA5dCOtW9RXGub6+2uf51w9huaO3kZXx49sH9BBuPUdGAV34dfwM7TTL4e6bJLK5Oyva6I1314xGUeEVSoPV08L977N/ft0GEnJXURAkkNhPyuY6l4L3nxv5Mi/QlLtxwNvAyzjdcbxJyO09tkAG1tl38Wtn9wrQaSU5PojxHu415tteesanrITE3IfBVO734N9CfNJ7YgQ7J7IQQ5yUX2BP31QCsqe7YWFwQ2lMMXjQIIWjgQ/0QfEwB9rxrZcP6EJrzlxq0OyDDzySPabeaz6ZjydHTPec1WsSIi/Hg1wxY5NPjqLKUXYbAegIIMI0twsHNx2GKqhu+AgOqZA24nme8iRaS/RcODKNIgs9wMyKkmtegvYQYzuQ04tVYBx1O1OlztGmrKs+x+zsgQLj6gVWLkYHPj37h/FVsPvZcB5WBDLx/wg05iQsAU=", "AccessKeyId": "ASIAJI2V66WANRTD5BFQ", "SecretAccessKey": "/VbW13iSqWgfQowWHffGAKrt7a17oT9hUVi24cyd" }, "SubjectType": "persistent", "Issuer": "http:///adfs/services/trust" }
AccessKeyId、SecretAccessKey、SessionTokenがレスポンスに含まれています。これらをCredentialに利用して、AWS APIを発行してみましょう。S3のバケットを取得してみます。
# export AWS_ACCESS_KEY_ID=ASIAJI2V66WANRTD5BFQ # export AWS_SECRET_ACCESS_KEY=/VbW13iSqWgfQowWHffGAKrt7a17oT9hUVi24cyd # export AWS_SESSION_TOKEN=AQoDYXdzEBgagAMBsEgf5oDM+LG4prWyRUk/FNRcoWo8paEaz1wLjRZs8NALJ/6RiVUPZQW1jkhJsDe2e1cY8GsNfE645bA5dCOtW9RXGub6+2uf51w9huaO3kZXx49sH9BBuPUdGAV34dfwM7TTL4e6bJLK5Oyva6I1314xGUeEVSoPV08L977N/ft0GEnJXURAkkNhPyuY6l4L3nxv5Mi/QlLtxwNvAyzjdcbxJyO09tkAG1tl38Wtn9wrQaSU5PojxHu415tteesanrITE3IfBVO734N9CfNJ7YgQ7J7IQQ5yUX2BP31QCsqe7YWFwQ2lMMXjQIIWjgQ/0QfEwB9rxrZcP6EJrzlxq0OyDDzySPabeaz6ZjydHTPec1WsSIi/Hg1wxY5NPjqLKUXYbAegIIMI0twsHNx2GKqhu+AgOqZA24nme8iRaS/RcODKNIgs9wMyKkmtegvYQYzuQ04tVYBx1O1OlztGmrKs+x+zsgQLj6gVWLkYHPj37h/FVsPvZcB5WBDLx/wg05iQsAU= # export AWS_DEFAULT_REGION="ap-northeast-1" # aws s3 ls 2015-08-28 16:45:51 cf-templates-1powceaee2ee2-ap-northeast-1
バケット情報を取得できました。一時的な認証情報の取得に成功しています。
スクリプト化
これらの認証を実施するpythonスクリプトをgistに公開しました。
実行すると以下のようになります。
# ./assume_role_for_adfs.py --adfs-fqdn adfs.fujimoto-home.local --username [email protected] [email protected]'s Password: Execute following commands to set AWS credentials ----- export AWS_ACCESS_KEY_ID=ASIAI6FEUDEHPV325XJA export AWS_SECRET_ACCESS_KEY=FVxf8XqxnRb8snorPxu0lqQxSofjyJCOfDSw4g8P export AWS_SESSION_TOKEN=AQoDYXdzEEEa8AIsPa6X9Uf6mOJ7X6BDeSF7CJWITEJkyo3qcTfGPUoIbSsmXwMpnsfDLCvj+O87T9D1og8hsoTXF7eR9VJDTG2BPnvN1cn0Zop/1RBuVF77QaaSituzTPBlamQpAmm72mzb0oX7MMw/fWu9B4haCkWkUJHID7vVK/8s7YbRPAu/y8P0zod4UGuSoKA4ko8DdrjS89sB89gTwr1YdotzqdeSj5yI4Nshg+JDHebI/V8M+EPsDARQs5Axl+uTGoGLl8cMiN7WGXX8Ng7p2F8bHWYnWCcOJjfkKHDvuOJT0vL5vCF9aHwgGqAnThzHFEst83CpqHyyPQzoAkBd6zuGlNbObV0O9NWrNbq6+eFBN/y36SpWN9TKjZGc63XoPjmVqmjopMLjGcri1jDWoyHtWorrFMHJbe7Q9UKK/AbMDp0PQCbZNoHcFImBSZU8yUptsWJx0LM1Mge3hU69wy+D5sh+2D9nk4bGgKv1UEf2syXpKyCCl5mwBQ==
まとめ
いかがでしたでしょうか? Active Directoryを活用したManagement ConsoleへのSSO、一時的なAPI認証情報の取得をご紹介しました。既存の環境にActive Directoryがある組織はAWS上でIAM Roleさえ作成してしまえば、IAMユーザーを作らずともアカウント管理をActive Directoryに委任することができます。
参考情報
How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS SAML wrapper for aws cli