Allow Role selection #20
Conversation
|
Any chance this, and the other outstanding PRs, be reviewed? They all seem super helpful. |
|
I just tried your PR out, and there's a bit of an issue with it, at least with a bastion account and cross accounts. oktad needs me to configure a profile in |
|
@erickt I have actually implemented something like that in endemics@124b00f but haven't created a PR yet. You can pull the code from https://github.com/endemics/oktad, the master branch has my 3 patches (that's the one we're using internally). |
| @@ -119,3 +128,65 @@ func assumeDestinationRole(acfg AwsConfig, creds *credentials.Credentials) (*cre | |||
|
|
|||
| return mCreds, *res.Credentials.Expiration, nil | |||
| } | |||
|
|
|||
| func splitSamlProviderArns(arns string) (*SamlProviderArns, error) { | |||
There was a problem hiding this comment.
Not a big deal, but nitpicking: no real reason for this to return a pointer to this struct; should just return the struct value.
There was a problem hiding this comment.
(I know that the other code in this project does not follow this guideline well, but that's something I'm hoping to correct...)
|
I like the idea of this especially because we're talking about moving to this model for our AWS accounts rather than relying on That said: maybe this should only prompt for account selection in the event that a user hasn't provided a profile/account to use? Then this code could try to find the name supplied in the SAML response or There's also potential to retrieve a list of accounts to check against using the AWS Organizations API as well, though that requires permissions to your Organizations account, at least in our case. |
When there are multiple values to <saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">, instead of blindly taking the first one, prompt the user for the one she wants.
This is needed if you have multiple targets and a 1:1 mapping between a Cross-Account role and a target role.