Skip to content

Home

Jump to bottom
Michael Sverdlik edited this page Jul 19, 2020 · 5 revisions

Configure GSuite

  1. Open Developer's Console
  2. Create a new project
  3. Navigate to Credentials on the left menu and choose to create a new OAuth 2.0 Client
  4. Choose Android App as the application type (This is not a typo)
  5. Give the client a name, package name and some dummy SHA1 checksum.
  6. Write down the client ID.
  7. In OAuth consent screen menu item, make sure app is Internal

Configure AWS IAM

First, you'll need to configure an external identity provider (idp):

  1. Open IAM console and navigate to the identity providers screen.
  2. Click Create Provider
  3. Provider Type: OpenID Connect
  4. Provider URL: https://accounts.google.com
  5. Audience: Client ID from GSuite

Next, create a new role that will be assumed via the federated idp:

  1. Open the [https://console.aws.amazon.com/iam/home?region=eu-west-1#/roles](IAM Roles screen) and click Create Role
  2. Choose Web Identity as type of trust
  3. Identity provider: accounts.google.com:aud
  4. Audience: Client ID as before
  5. Attach any permissions, tags and create a new role.
  6. Write down role ARN

Configure AWS CLI

In your ~/.aws/config:

[profile tinytoken]
credential_process = /usr/local/bin/tinytoken -r ROLE_ARN -c CLIENT_ID

Replaced ROLE_ARN and CLIENT_ID with the relevant details.

Run your AWS commands as usual:

aws --profile tinytoken ec2 describe-instances
Clone this wiki locally