- How much should I copy the official OneLogin app?
- Easier to migrate
- Config files in JSON though??? Oh and YAML. Because.
- Integrate with KeyChain like aws-vault
- Will need to code sign
- Shouldn't just spit out ENV vars and expect you to copy & paste.
- Follow
aws-vault
example of executing programs (including a shell)
- Follow
- Run an EC2-Metadata service like
aws-vault
?- Not sure why that helps? Maybe some kind of dev/test solution?
- Should use External Sourcing
- Need to write the necessary info as a JSON blob which allows you to easily define OneLogin as the means of accessing an AWS_PROFILE without having to edit the ~/.aws/config file! Note that we would need to impliment some level of caching for this to work, but that seems reasonable :)
- Another golang program allcloud-io/clisso
- Another secret mgmt library for OSX/Linux: tmc/keyring
- The OAuth2 AccessToken is good for 10hrs and should be cached to avoid rate limiting This is perfectly safe as long as the creds aren't exposed and someone uses them to DoS us due to the 5000/req/hr/account. (account, not user?)
- SAML Assertion requires OneLogin username/password
- SAML Assertion may require MFA
- The SAML assertion is only good for a service defined number of minutes? AWS SAML is for a few minutes.
- The onelogin-go-sdk is neutered and doesn't support MFA :-/
- Need to see how
--loop
feature is supported? Login Session Tokens can't be used for long periods of time? Pretty sure this doesn't automate authentication! Looks like it merely automates running the tool again which is very different (requires you to manually re-auth) - How are users supposed to know their device_id|device_id value for
mfa
?
Probably should move to their own directory or something?
- $HOME/.onelogin.cache -- SAML assertion & bearer token cache
- $HOME/.onelogin.yaml -- config file
- ClientID/Secret ==> OneLogin Generate Token
- Returns Token good for 10hrs
- Should be cached
- Can be done transparent to user
- Token, Username, Password, AppID ==> OneLogin SAML Assertion
- Returns Assertion OR MFA Request
- MFA request? Send MFA ==> OneLogin Verify Factor
- Interactive required if MFA
- AWS SAML Assertions are only good for a few minutes
- Is good for 1 or more roles in 1 or more AWS Accounts
- Password should be stored in KeyChain
- Returns Assertion OR MFA Request
- SAML Assertion, Role ==> AWS
- Returns STS Token good for 15min to 12hrs (1hr default)
- Can write to ~/.aws/config & ~/.aws/authentication or set shell ENV
- Select AppID or Role?
- AppID's contain multiple roles across one or more AWS accounts which is confusing
- If user doesn't provide on CLI, prompt
- Need a config file which maps AppID => AWS Role(s)
- AppID's should have an alias
- Role ARN's should have an alias
- If AppID alias:
- Get all the STS tokens for all the roles
- Write to AWS config files
- Don't choose a role
- If Role Alias:
- Get STS token for that role
- Execute command/load ENV for that roles
- Revoke - Revoke current AuthToken which is automatically generated
- No args- just config
- Role - Get one AWS Role STS values and print it out
- role alias
- Exec - Get one AWS Role STS value and run command (like Role)
- role alias
- [command]
- AppId - Get all AWS Role STS values (cache for Role/Exec)
- appid alias
- Aliases - Print all Role & AppId with aliases (should show when expires)
- no args- just config