LinuxCommandLibrary

aws-google-auth

Authenticate AWS CLI using Google credentials

TLDR

Log in with Google SSO using the specified username IDP and SP identifiers and set the credentials duration to one hour

$ aws-google-auth [[-u|--username]] [[email protected]] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600]
copy

Log in asking which role to use (in case of several available SAML roles)
$ aws-google-auth [[-u|--username]] [[email protected]] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600] [[-a|--ask-role]]
copy

Resolve aliases for AWS accounts
$ aws-google-auth [[-u|--username]] [[email protected]] [[-I|--idp-id]] [$GOOGLE_IDP_ID] [[-S|--sp-id]] [$GOOGLE_SP_ID] [[-d|--duration]] [3600] [[-a|--ask-role]] --resolve-aliases
copy

Display help
$ aws-google-auth [[-h|--help]]
copy

SYNOPSIS

aws-google-auth [--profile PROFILE] [--role-arn ROLE_ARN] [--provider-id PROVIDER_ID] [--idp-id IDP_ID] [--duration-seconds SECONDS] [--no-browser] [--print] [--mfa-serial-number ARN] [--mfa-token TOKEN] [-h]

PARAMETERS

--profile PROFILE
    AWS profile name to update with credentials

--role-arn ROLE_ARN
    ARN of specific IAM role to assume

--provider-id PROVIDER_ID
    SAML provider ID from AWS IAM (defaults to first matching)

--idp-id IDP_ID
    Google Workspace IdP ID from SAML metadata

--duration-seconds SECONDS
    Session duration in seconds (1-43200)

--no-browser
    Skip browser auth; use for headless/SSH

--print
    Print credentials to stdout instead of ~/.aws/credentials

--mfa-serial-number ARN
    MFA device ARN for hardware MFA

--mfa-token TOKEN
    MFA TOTP code

-h, --help
    Show help and exit

DESCRIPTION

aws-google-auth is a command-line tool that enables users to obtain temporary AWS credentials through SAML federation with Google Workspace as the identity provider (IdP). It simplifies access to AWS services for organizations using Google Workspace by automating the authentication flow.

The tool opens a browser for Google login, retrieves a SAML assertion, and exchanges it for AWS STS temporary credentials. These can be used directly or stored in the AWS credentials file (~/.aws/credentials) for tools like the AWS CLI.

Key features include support for multiple AWS profiles, role assumption, customizable session durations (up to 12 hours), and optional MFA. It requires prior setup: configure a SAML identity provider in AWS IAM matching your Google Workspace SAML settings, and ensure the desired AWS roles trust the IdP.

Installation is via pip: pip install aws-google-auth. Ideal for developers and admins avoiding long-lived IAM keys, promoting security best practices. Works on Linux, macOS, and Windows.

CAVEATS

Requires Python 3.7+, Google Workspace SAML configured in AWS IAM. Browser auth needs GUI/X11 forwarding for SSH. Credentials expire; no auto-refresh. Potential issues with corporate proxies or custom Google domains.

INSTALLATION

pip install aws-google-auth; or from source: git clone https://github.com/luo-chengyun/aws-google-auth && pip install -e .

CONFIGURATION

Create AWS IAM SAML provider using Google Workspace metadata XML (Entity ID: google.com/a/YOURDOMAIN). Add trust policy to roles allowing the provider.

HISTORY

Open-source Python tool by luo-chengyun; initial GitHub release in 2021. Gained popularity for Google-AWS integrations; active maintenance with v2+ adding MFA, headless support. Over 1k stars on GitHub.

SEE ALSO

aws(1), saml2aws(1), awscli(1)

Copied to clipboard