Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider EOL'ing this project in favour of AWS SSO? #190

Open
brainstorm opened this issue Jun 26, 2020 · 9 comments
Open

Consider EOL'ing this project in favour of AWS SSO? #190

brainstorm opened this issue Jun 26, 2020 · 9 comments

Comments

@brainstorm
Copy link

brainstorm commented Jun 26, 2020
edited
Loading

We recently migrated and use AWS SSO and yawsso as a CLI v1 backwards compatibility workaround. Other than this minor temporary patch (due to an unfixed AWS Go SDK issue) it has been way more reliable than this @cevoaustralia's (and others) web scraping approaches.

Please don't get me wrong, this project has been instrumental for a while at our organization but I suspect that the scraping limitations (and reliability) will only get worse over time, driving folks away from deploying reliable SSO systems.

In other words: what's the current value proposition of this project vs AWS SSO? Any additional features that I'm not aware of? Happy to be wrong about this!

/cc @reisingerf @victorskl
@zeroaltitude
Copy link

My question @brainstorm is, how does this solve getting the Google SSO dance automated? The value of projects like aws-google-auth is actually handing the Google side, and that is the side that to this day remains tricky. How do you accomplish that with yawsso? I read the page, and don't understand.

@brainstorm
Copy link
Author

brainstorm commented Jun 27, 2020
edited
Loading

@zeroaltitude Setting up AWS SSO with Google is fairly straightforward with SAML, here's a step by step guide (one of many):

https://deductivelabs.com/blog/aws/amazon-web-services-sso-authentication-with-google-gsuite/

Yawsso only covers the "last mile" tools like terraform or CDK that do not yet support AWS SSO but just plain AWS CLI v1, as mentioned above w/ the AWS SDK Go pending issue.

@zeroaltitude
Copy link

zeroaltitude commented Jun 27, 2020
edited
Loading

OK, sorry, I have a better idea of what I mean to ask.

First off, this project here depends on much of your instructions: you do still create a GSuite AWS SSO Google App and then an AWS IAM identity SAML provider.

The thing I'm missing is this. My next step is to simply automate AWS cred creation using this tool here. Your suggestion is, use AWS SSO, and if you're using aws CLI v2, you're done, and if not, you can use yawsso to copy the creds into the V1 format. Great.

But AWS SSO does two things I either don't like or don't understand. 1) It forces you to provision AWS users, rather than just use your IAM roles set up for IDP. I would prefer not to do this. But I would if it were the only way. However, 2) the AWS SSO page suggests that it doesn't have any proven support for Google yet. Or at least, the documentation here: https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html doesn't list Google. It lists Active Directory, Azure and OKTA. I don't want to then also link OKTA to Google -- too many steps.

So really my only question is: is there an easy way to use AWS SSO with GSuite? I can't seem to find a clear answer on that.

@zeroaltitude
Copy link

zeroaltitude commented Jun 27, 2020
edited
Loading

Oh, huh, nevermind, found it: https://medium.com/@io_78824/introduction-8a480b2df991

Less than 6 months old. This looks promising.

EDIT: But there's a fatal flaw. Google doesn't yet support the dynamic identity creation. Which means I have to manually provision users.

TL;DR: I still see a role for the current project, but I agree that it looks like AWS and Google will someday solve this.

@brainstorm
Copy link
Author

brainstorm commented Jun 27, 2020
edited
Loading

Yeah, SCIM is still lacking, that's together with having to use the yawsso "bridge", the only significant drawback, other than that, works a treat!

@brokenthumbs
Copy link
Contributor

Referencing a ticket here on the aws-cli repo, to track the progress.

aws/aws-cli#4784

@stevemac007
Copy link
Contributor

Thanks for the question - something we should constantly be looking at. I'd love to be able to retire this tool, especially given how lax I've been during 2020 responding to issues and keeping it updated. But there does still seem to be a demand for keeping this alive in the meantime.

I'm aiming to get a run at some uplift here over the next week or so to resolve any key blockers - the first of which is to move off Travis CI to GitHub Actions - and look into the remaining PR's.

@brainstorm
Copy link
Author

brainstorm commented Jan 28, 2021
edited
Loading

@stevemac007 At least put a reference/link to the very beginning of the README pointing to this issue?

In our experience, our transition to AWS SSO has been the difference between tons of bad UX reports with aws-google-auth, mostly related to crawling Google's HTML/auth details as this project does.

In contrast, we got 0 related issues with AWS SSO... inform new users on the README.md!

@brainstorm
Copy link
Author

brainstorm commented Jan 28, 2021
edited
Loading

Btw, support for CLIv2 on AWS Terraform provider has just been merged: hashicorp/terraform-provider-aws#10851 (comment)

The AWS Go SDK is supporting it now, so that was pretty much the last inconvenience milestone to fully adopt SSO I reckon: https://github.com/hashicorp/terraform-provider-aws/pull/17340/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zeroaltitude @brainstorm @stevemac007 @brokenthumbs