{"id":32136954,"url":"https://github.com/cevoaustralia/aws-google-auth","last_synced_at":"2025-10-21T04:53:36.540Z","repository":{"id":37736177,"uuid":"94195575","full_name":"cevoaustralia/aws-google-auth","owner":"cevoaustralia","description":"Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)","archived":false,"fork":false,"pushed_at":"2025-07-14T13:13:21.000Z","size":418,"stargazers_count":546,"open_issues_count":94,"forks_count":176,"subscribers_count":43,"default_branch":"master","last_synced_at":"2025-10-19T23:14:02.030Z","etag":null,"topics":["amazon","aws","cli","google","python","saml","single-sign-on","sso"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cevoaustralia.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-06-13T09:30:29.000Z","updated_at":"2025-09-23T05:28:18.000Z","dependencies_parsed_at":"2024-07-10T06:30:16.519Z","dependency_job_id":"0203b3a8-62e2-4790-b111-5ed9a1ff8e2d","html_url":"https://github.com/cevoaustralia/aws-google-auth","commit_stats":null,"previous_names":[],"tags_count":38,"template":false,"template_full_name":null,"purl":"pkg:github/cevoaustralia/aws-google-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cevoaustralia%2Faws-google-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cevoaustralia%2Faws-google-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cevoaustralia%2Faws-google-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cevoaustralia%2Faws-google-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cevoaustralia","download_url":"https://codeload.github.com/cevoaustralia/aws-google-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cevoaustralia%2Faws-google-auth/sbom","scorecard":{"id":271693,"data":{"date":"2025-08-11","repo":{"name":"github.com/cevoaustralia/aws-google-auth","commit":"dd42263bbeeb053e1b66a2db9a7b1f23606940f0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.6,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":1,"reason":"Found 2/16 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/pythonpackage.yml:1","Warn: no topLevel permission defined: .github/workflows/pythonrelease.yml:1","Warn: no topLevel permission defined: .github/workflows/rstlint.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pythonpackage.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/pythonpackage.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pythonpackage.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/pythonpackage.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pythonrelease.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/pythonrelease.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pythonrelease.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/pythonrelease.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rstlint.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/rstlint.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rstlint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/cevoaustralia/aws-google-auth/rstlint.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.5 to alpine:3.5@sha256:66952b313e51c3bd1987d7c4ddf5dba9bc0fb6e524eed2448fa660246b3e76ec","Warn: containerImage not pinned by hash: Dockerfile.python2:1: pin your Docker image by updating alpine:3.5 to alpine:3.5@sha256:66952b313e51c3bd1987d7c4ddf5dba9bc0fb6e524eed2448fa660246b3e76ec","Warn: pipCommand not pinned by hash: Dockerfile:10","Warn: pipCommand not pinned by hash: Dockerfile:13","Warn: pipCommand not pinned by hash: Dockerfile.python2:10","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:42","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:43","Warn: pipCommand not pinned by hash: .github/workflows/pythonpackage.yml:44","Warn: pipCommand not pinned by hash: .github/workflows/pythonrelease.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/pythonrelease.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/rstlint.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/rstlint.yml:23","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of  14 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 19 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"67 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2019-182 / GHSA-8867-vpm3-g98g","Warn: Project is vulnerable to: PYSEC-2012-8 / GHSA-p3h7-3c45-qj4v","Warn: Project is vulnerable to: PYSEC-2019-181 / GHSA-p86x-652p-6385","Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8","Warn: Project is vulnerable to: PYSEC-2014-9 / GHSA-57qw-cc2g-pv5p","Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq","Warn: Project is vulnerable to: GHSA-pgww-xf46-h92r","Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w","Warn: Project is vulnerable to: PYSEC-2018-12 / GHSA-xp26-p53h-6h2p","Warn: Project is vulnerable to: GHSA-3c5c-7235-994j","Warn: Project is vulnerable to: GHSA-3f63-hfp8-52jq","Warn: Project is vulnerable to: PYSEC-2021-41 / GHSA-3wvg-mj6g-m9cv","Warn: Project is vulnerable to: PYSEC-2020-77 / GHSA-3xv8-3j54-hgrp","Warn: Project is vulnerable to: PYSEC-2020-80 / GHSA-43fq-w8qq-v88h","Warn: Project is vulnerable to: GHSA-44wm-f244-xhp3","Warn: Project is vulnerable to: GHSA-4fx9-vc88-q2xc","Warn: Project is vulnerable to: PYSEC-2021-35 / GHSA-57h3-9rgr-c24m","Warn: Project is vulnerable to: PYSEC-2020-172 / GHSA-5gm3-px64-rw72","Warn: Project is vulnerable to: PYSEC-2021-331 / GHSA-7534-mm45-c74v","Warn: Project is vulnerable to: PYSEC-2021-92 / GHSA-7r7m-5h27-29hp","Warn: Project is vulnerable to: PYSEC-2020-78 / GHSA-8843-m7mw-mxqm","Warn: Project is vulnerable to: PYSEC-2023-227 / GHSA-8ghj-p4vj-mr35","Warn: Project is vulnerable to: PYSEC-2014-87 / GHSA-8m9x-pxwq-j236","Warn: Project is vulnerable to: PYSEC-2022-10 / GHSA-8vj2-vxx3-667w","Warn: Project is vulnerable to: PYSEC-2021-36 / GHSA-8xjq-8fcg-g5hw","Warn: Project is vulnerable to: PYSEC-2016-6 / GHSA-8xjv-v9xq-m5h9","Warn: Project is vulnerable to: PYSEC-2021-42 / GHSA-95q3-8gr9-gm8w","Warn: Project is vulnerable to: PYSEC-2022-168 / GHSA-9j59-75qj-795w","Warn: Project is vulnerable to: PYSEC-2014-10 / GHSA-cfmr-38g9-f2h7","Warn: Project is vulnerable to: PYSEC-2020-76 / GHSA-cqhg-xjhh-p8hf","Warn: Project is vulnerable to: PYSEC-2021-40 / GHSA-f4w8-cv6p-x6r5","Warn: Project is vulnerable to: PYSEC-2021-69 / GHSA-f5g8-5qq7-938w","Warn: Project is vulnerable to: PYSEC-2021-139 / GHSA-g6rj-rv7j-xwp4","Warn: Project is vulnerable to: PYSEC-2015-16 / GHSA-h5rf-vgqx-wjv2","Warn: Project is vulnerable to: PYSEC-2016-5 / GHSA-hggx-3h72-49ww","Warn: Project is vulnerable to: PYSEC-2020-84 / GHSA-hj69-c76v-86wr","Warn: Project is vulnerable to: PYSEC-2016-7 / GHSA-hvr8-466p-75rh","Warn: Project is vulnerable to: PYSEC-2015-15 / GHSA-j6f7-g425-4gmx","Warn: Project is vulnerable to: GHSA-j7hp-h8jx-5ppr","Warn: Project is vulnerable to: PYSEC-2019-110 / GHSA-j7mj-748x-7p78","Warn: Project is vulnerable to: GHSA-jgpv-4h4c-xhw3","Warn: Project is vulnerable to: PYSEC-2022-42979 / GHSA-m2vv-5vj5-2hm7","Warn: Project is vulnerable to: PYSEC-2021-37 / GHSA-mvg9-xffr-p774","Warn: Project is vulnerable to: PYSEC-2020-83 / GHSA-p49h-hjvm-jg3h","Warn: Project is vulnerable to: PYSEC-2022-8 / GHSA-pw3c-h7wp-cvhx","Warn: Project is vulnerable to: PYSEC-2021-93 / GHSA-q5hq-fp76-qmrc","Warn: Project is vulnerable to: PYSEC-2020-82 / GHSA-r7rm-8j6h-r933","Warn: Project is vulnerable to: PYSEC-2014-23 / GHSA-r854-96gq-rfg3","Warn: Project is vulnerable to: PYSEC-2016-8 / GHSA-rwr3-c2q8-gm56","Warn: Project is vulnerable to: PYSEC-2020-81 / GHSA-vcqg-3p29-xw73","Warn: Project is vulnerable to: PYSEC-2020-79 / GHSA-vj42-xq3r-hr3r","Warn: Project is vulnerable to: PYSEC-2021-70 / GHSA-vqcj-wrf2-7v73","Warn: Project is vulnerable to: PYSEC-2016-9 / GHSA-w4vg-rf63-f3j3","Warn: Project is vulnerable to: PYSEC-2014-22 / GHSA-x895-2wrm-hvp7","Warn: Project is vulnerable to: PYSEC-2022-9 / GHSA-xrcv-f9gm-v42c","Warn: Project is vulnerable to: PYSEC-2021-137","Warn: Project is vulnerable to: PYSEC-2021-138","Warn: Project is vulnerable to: PYSEC-2021-317","Warn: Project is vulnerable to: PYSEC-2021-38","Warn: Project is vulnerable to: PYSEC-2021-39","Warn: Project is vulnerable to: PYSEC-2021-94","Warn: Project is vulnerable to: PYSEC-2023-175","Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T13:33:59.360Z","repository_id":37736177,"created_at":"2025-08-17T13:33:59.360Z","updated_at":"2025-08-17T13:33:59.360Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280207194,"owners_count":26290616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazon","aws","cli","google","python","saml","single-sign-on","sso"],"created_at":"2025-10-21T04:53:33.197Z","updated_at":"2025-10-21T04:53:36.535Z","avatar_url":"https://github.com/cevoaustralia.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"aws-google-auth\n===============\n\n|github-badge| |docker-badge| |pypi-badge| |coveralls-badge|\n\n.. |github-badge| image:: https://github.com/cevoaustralia/aws-google-auth/workflows/Python%20package/badge.svg\n   :target: https://github.com/cevoaustralia/aws-google-auth/actions\n   :alt: GitHub build badge\n\n.. |docker-badge| image:: https://img.shields.io/docker/build/cevoaustralia/aws-google-auth.svg\n   :target: https://hub.docker.com/r/cevoaustralia/aws-google-auth/\n   :alt: Docker build status badge\n\n.. |pypi-badge| image:: https://img.shields.io/pypi/v/aws-google-auth.svg\n   :target: https://pypi.python.org/pypi/aws-google-auth/\n   :alt: PyPI version badge\n\n.. |coveralls-badge| image:: https://coveralls.io/repos/github/cevoaustralia/aws-google-auth/badge.svg?branch=master\n   :target: https://coveralls.io/github/cevoaustralia/aws-google-auth?branch=master\n\nThis command-line tool allows you to acquire AWS temporary (STS)\ncredentials using Google Apps as a federated (Single Sign-On, or SSO)\nprovider.\n\nSetup\n-----\n\nYou'll first have to set up Google Apps as a SAML identity provider\n(IdP) for AWS. There are tasks to be performed on both the Google Apps\nand the Amazon sides; these references should help you with those\nconfigurations:\n\n-  `How to Set Up Federated Single Sign-On to AWS Using Google\n   Apps \u003chttps://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/\u003e`__\n-  `Using Google Apps SAML SSO to do one-click login to\n   AWS \u003chttps://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/\u003e`__\n\nIf you need a fairly simple way to assign users to roles in AWS\naccounts, we have another tool called `Google AWS\nFederator \u003chttps://github.com/cevoaustralia/google-aws-federator\u003e`__\nthat might help you.\n\nImportant Data\n~~~~~~~~~~~~~~\n\nYou will need to know Google's assigned Identity Provider ID, and the ID\nthat they assign to the SAML service provider.\n\nOnce you've set up the SAML SSO relationship between Google and AWS, you\ncan find the SP ID by drilling into the Google Apps console, under\n``Apps \u003e SAML Apps \u003e Settings for AWS SSO`` -- the URL will include a\ncomponent that looks like ``...#AppDetails:service=123456789012...`` --\nthat number is ``GOOGLE_SP_ID``\n\nYou can find the ``GOOGLE_IDP_ID``, again from the admin console, via\n``Security \u003e Set up single sign-on (SSO)`` -- the ``SSO URL`` includes a\nstring like ``https://accounts.google.com/o/saml2/idp?idpid=aBcD01AbC``\nwhere the last bit (after the ``=``) is the IDP ID.\n\nInstallation\n------------\n\nYou can install quite easily via ``pip``, if you want to have it on your\nlocal system:\n\n.. code:: shell\n\n    # For basic installation\n    localhost$ sudo pip install aws-google-auth\n\n    # For installation with U2F support\n    localhost$ sudo pip install aws-google-auth[u2f]\n\n\n*Note* If using ZSH you will need to quote the install, as below:\n\n.. code:: shell\n\n   localhost$ sudo pip install \"aws-google-auth[u2f]\"\n\nIf you don't want to have the tool installed on your local system, or if\nyou prefer to isolate changes, there is a Dockerfile provided, which you\ncan build with:\n\n.. code:: shell\n\n    # Perform local build\n    localhost$ cd ..../aws-google-auth \u0026\u0026 docker build -t aws-google-auth .\n\n    # Use the Docker Hub version\n    localhost$ docker pull cevoaustralia/aws-google-auth\n\nDevelopment\n-----------\n\nIf you want to develop the AWS-Google-Auth tool itself, we thank you! In order\nto help you get rolling, you'll want to install locally with pip. Of course,\nyou can use your own regular workflow, with tools like `virtualenv \u003chttps://virtualenv.pypa.io/en/stable/\u003e`__.\n\n.. code:: shell\n\n    # Install (without U2F support)\n    pip install -e .\n\n    # Install (with U2F support)\n    pip install -e .[u2f]\n\nWe welcome you to review our `code of conduct \u003cCODE_OF_CONDUCT.md\u003e`__ and\n`contributing \u003cCONTRIBUTING.md\u003e`__ documents.\n\nUsage\n-----\n\n.. code:: shell\n\n    $ aws-google-auth -h\n    usage: aws-google-auth [-h] [-u USERNAME] [-I IDP_ID] [-S SP_ID] [-R REGION]\n                           [-d DURATION] [-p PROFILE] [-D] [-q]\n                           [--bg-response BG_RESPONSE]\n                           [--saml-assertion SAML_ASSERTION] [--no-cache]\n                           [--print-creds] [--resolve-aliases]\n                           [--save-failure-html] [--save-saml-flow] [-a | -r ROLE_ARN] [-k]\n                           [-l {debug,info,warn}] [-V]\n\n    Acquire temporary AWS credentials via Google SSO\n\n    optional arguments:\n      -h, --help            show this help message and exit\n      -u USERNAME, --username USERNAME\n                            Google Apps username ($GOOGLE_USERNAME)\n      -I IDP_ID, --idp-id IDP_ID\n                            Google SSO IDP identifier ($GOOGLE_IDP_ID)\n      -S SP_ID, --sp-id SP_ID\n                            Google SSO SP identifier ($GOOGLE_SP_ID)\n      -R REGION, --region REGION\n                            AWS region endpoint ($AWS_DEFAULT_REGION)\n      -d DURATION, --duration DURATION\n                            Credential duration (defaults to value of $DURATION, then\n                            falls back to 43200)\n      -p PROFILE, --profile PROFILE\n                            AWS profile (defaults to value of $AWS_PROFILE, then\n                            falls back to 'sts')\n      -D, --disable-u2f     Disable U2F functionality.\n      -q, --quiet           Quiet output\n      --bg-response BG_RESPONSE\n                            Override default bgresponse challenge token ($GOOGLE_BG_RESPONSE).\n      --saml-assertion SAML_ASSERTION\n                            Base64 encoded SAML assertion to use.\n      --no-cache            Do not cache the SAML Assertion.\n      --print-creds         Print Credentials.\n      --resolve-aliases     Resolve AWS account aliases.\n      --save-failure-html   Write HTML failure responses to file for\n                            troubleshooting.\n      --save-saml-flow      Write all GET and PUT requests and HTML responses to/from Google to files for troubleshooting.\n      -a, --ask-role        Set true to always pick the role\n      -r ROLE_ARN, --role-arn ROLE_ARN\n                            The ARN of the role to assume ($AWS_ROLE_ARN)\n      -k, --keyring         Use keyring for storing the password.\n      -l {debug,info,warn}, --log {debug,info,warn}\n                            Select log level (default: warn)\n      -V, --version         show program's version number and exit\n\n\n**Note** If you want a longer session than the AWS default 3600 seconds (1 hour)\nduration, you must also modify the IAM Role to permit this. See\n`the AWS documentation \u003chttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html\u003e`__\nfor more information.\n\nNative Python\n~~~~~~~~~~~~~\n\n1. Execute ``aws-google-auth``\n2. You will be prompted to supply each parameter\n\n*Note* You can skip prompts by either passing parameters to the command, or setting the specified Environment variables.\n\nVia Docker\n~~~~~~~~~~~~~\n\n1. Set environment variables for anything listed in Usage with ``($VARIABLE)`` after command line option:\n\n   ``GOOGLE_USERNAME``, ``GOOGLE_IDP_ID``, and ``GOOGLE_SP_ID``\n   (see above under \"Important Data\" for how to find the last two; the first one is usually your email address)\n\n   ``AWS_PROFILE``: Optional profile name you want the credentials set for (default is 'sts')\n\n   ``ROLE_ARN``: Optional ARN of the role to assume\n\n2. For Docker:\n   ``docker run -it -e GOOGLE_USERNAME -e GOOGLE_IDP_ID -e GOOGLE_SP_ID -e AWS_PROFILE -e ROLE_ARN -v ~/.aws:/root/.aws cevoaustralia/aws-google-auth``\n\nYou'll be prompted for your password. If you've set up an MFA token for\nyour Google account, you'll also be prompted for the current token\nvalue.\n\nIf you have a U2F security key added to your Google account, you won't\nbe able to use this via Docker; the Docker container will not be able to\naccess any devices connected to the host ports. You will likely see the\nfollowing error during runtime: \"RuntimeWarning: U2F Device Not Found\".\n\nIf you have more than one role available to you (and you haven't set up ROLE_ARN),\nyou'll be prompted to choose the role from a list.\n\nFeeding password from stdin\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo enhance usability when using third party tools for managing passwords (aka password manager) you can feed data in\n``aws-google-auth`` from ``stdin``.\n\nWhen receiving data from ``stdin`` ``aws-google-auth`` disables the interactive prompt and uses ``stdin`` data.\n\nBefore `#82 \u003chttps://github.com/cevoaustralia/aws-google-auth/issues/82\u003e`_, all interactive prompts could be fed from ``stdin`` already apart from the ``Google Password:`` prompt.\n\nExample usage:\n```\n$ password-manager show password | aws-google-auth\nGoogle Password: MFA token:\nAssuming arn:aws:iam::123456789012:role/admin\nCredentials Expiration: ...\n```\n\n**Note:** this feature is intended for password manager integration, not for passing passwords from command line.\nPlease use interactive prompt if you need to pass the password manually, as this provide enhanced security avoid\npassword leakage to shell history.\n\nStorage of profile credentials\n------------------------------\n\nThrough the use of AWS profiles, using the ``-p`` or ``--profile`` flag, the ``aws-google-auth`` utility will store the supplied username, IDP and SP details in your ``./aws/config`` files.\n\nWhen re-authenticating using the same profile, the values will be remembered to speed up the re-authentication process.\nThis enables an approach that enables you to enter your username, IPD and SP values once and then after only need to re-enter your password (and MFA if enabled).\n\nCreating an alias as below can be a quick and easy way to re-authenticate with a simple command shortcut.\n\n```\nalias aws-development='unset AWS_PROFILE; aws-google-auth -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -u $USERNAME -p aws-dev ; export AWS_PROFILE=aws-dev'\n```\n\nOr, if you've alredy established a profile with valid cached values:\n\n```\nalias aws-development='unset AWS_PROFILE; aws-google-auth -p aws-dev ; export AWS_PROFILE=aws-dev'\n```\n\n\nNotes on Authentication\n-----------------------\n\nGoogle supports a number of 2-factor authentication schemes. Each of these\nresults in a slightly different \"next\" URL, if they're enabled, during ``do_login``\n\nGoogle controls the preference ordering of these schemes in the case that\nyou have multiple ones defined.\n\nThe varying 2-factor schemes and their representative URL fragments handled\nby this tool are:\n\n+------------------+-------------------------------------+\n| Method           | URL Fragment                        |\n+==================+=====================================+\n| No second factor | (none)                              |\n+------------------+-------------------------------------+\n| TOTP (eg Google  | ``.../signin/challenge/totp/...``   |\n|  Authenticator   |                                     |\n|  or Authy)       |                                     |\n+------------------+-------------------------------------+\n| SMS (or voice    | ``.../signin/challenge/ipp/...``    |\n|  call)           |                                     |\n+------------------+-------------------------------------+\n| SMS (or voice    | ``.../signin/challenge/iap/...``    |\n|  call) with      |                                     |\n|  number          |                                     |\n|  submission      |                                     |\n+------------------+-------------------------------------+\n| Google Prompt    | ``.../signin/challenge/az/...``     |\n|  (phone app)     |                                     |\n+------------------+-------------------------------------+\n| Security key     | ``.../signin/challenge/sk/...``     |\n|  (eg yubikey)    |                                     |\n+------------------+-------------------------------------+\n| Dual prompt      | ``.../signin/challenge/dp/...``     |\n|  (Validate 2FA ) |                                     |\n+------------------+-------------------------------------+\n| Backup code      | ``... (unknown yet) ...``           |\n|  (printed codes) |                                     |\n+------------------+-------------------------------------+\n\nAcknowledgments\n----------------\n\nThis work is inspired by `keyme \u003chttps://github.com/wheniwork/keyme\u003e`__\n-- their digging into the guts of how Google SAML auth works is what's\nenabled it.\n\nThe attribute management and credential injection into AWS configuration files\nwas heavily borrowed from `aws-adfs \u003chttps://github.com/venth/aws-adfs\u003e`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcevoaustralia%2Faws-google-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcevoaustralia%2Faws-google-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcevoaustralia%2Faws-google-auth/lists"}