Skip to content

IAmFrench/GSuite-as-identity-Provider-IdP-for-AWS-Amazon-Web-Services

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

GSuite-as-identity-Provider-IdP-for-AWS-Amazon-Web-Services

Use GSuite accounts for AWS

Google Admin pre-requirements

Add custom user attributes (for AWS SAML binding attributes)

Gsuite Admin Help
AWS Docs
GSuite Admin > Users > Manage user attributes

  1. Add AWS SAML Role Attribute (Text, Multi-value)
  2. (Optional) Add AWS SAML RoleSessionName Attribute (Text, Single Value)

AWS SAML Custom Attributes

Set up SAML app (choose Amazon-Web-Services)

Create a new SAML App (choose Amazon-Web-Services)

GSuite Admin > Apps > SAML Apps

GSuite SAML Apps

Download IDP Metadata (XML)

Download IDP Metadata

Edit Service Provider Details

Name ID = Basic Information > Primary Email
Name ID Format = Email

Edit Service Provider Details

Set Attribute Mapping (AWS Docs)

https://aws.amazon.com/SAML/Attributes/RoleSessionName
https://aws.amazon.com/SAML/Attributes/Role
https://aws.amazon.com/SAML/Attributes/SessionDuration

Set Attribute Mapping - RoleSessionName Set Attribute Mapping - Role

Create SAML App Done

Config AWS IAM Provider

Create the GSuite Provider in AWS Console

AWS > IAM > Access management > Identity providers

AWS > IAM > Access management > Identity providers List

Configure Provider

Set a friendly name
Set provider type to SAML
Select the Gsuite IDP Metadata (XML file)

Configure Provider > SAML

Create the GSuite Provider Done

Configure IAM Role(s) in AWS Console

For this example we will create 2 roles, 1 administrator and 1 Read only role
If an user has 2+ assigned roles, he can chose the desired role

AWS > IAM > Access management > Roles

AWS > IAM > Access management > Roles

Create SAML Role (Administrator)

AWS > IAM > Access management > Roles > Create role

Create SAML Role

Select AdministratorAccess policy
Name: Administrator

Create SAML Role - Administrator

Create SAML Role (ViewOnlyAccess)

Do the same as for Administrator but with the ViewOnlyAccess policy
Name: ViewOnlyAccess

Create SAML Role - ViewOnlyAccess

As we can see here we have now 2 new roles Administrator and ViewOnlyAccess

Create roles Done

Configure GSuite role (user attribute)

AWS Doc

Find Role(s) ARN

Role ARN

Find GSuite Identity provider ARN

GSuite Identity provider

Set GSuite user attribute

Format of the AWS SAML Role Attribute:
arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name
SAML SessionDuration Attribute in seconds

User > configure attribute > AWS SAML attributes

Check the set-up

Open Google & launch the AWS Quick link

Launch the AWS GSuite link

Select the AWS Role (if you have assigned multiples roles to a GSuite user)

Select the AWS Role

Check AWS user details

AWS User details

Next steps

  • Create GSuite Groups and auto assign roles based on the user's groups

About

No description or website provided.

Topics

aws saml tutorial gsuite iam aws-iam federated-identity gsuite-admin identity-provider-idp gsuite-saml-apps saml-apps

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published