Michel van der List

Enabling Penn Web Login for the Amazon Web Services console

Posted:
Author: Michel van der List (Michel van der List's other blog postsblogs by all authors)

Enabling Penn Web Login (Shibboleth) for the AWS web console

Shibboleth logo

Since late 2013, AWS has had the ability to use SAML to manage access to the AWS web console. There are a number of blog posts on the AWS website that explain how to enable and use this, but many assume you need to set up your own identity provider which you then use for authorization and authentication. Off course Penn has its own identity provider, known as Penn Web Login, which uses Shibboleth. This blog post describes how you can enable this functionality for managing access to your AWS web console using PennGroups for authorization.

Gather the following information:

  • AWS Account number
  • The grouper groups you plan to use to control access to the AWS console

Contact the Penn web login team and work with them to get the connection to AWS set up and ensure the correct assertions will be used. Generally, your assertions will be the last part of the grouper groups you plan use, which we recommend to map to identically named AWS roles. So. e.g. if your group is penn:isc:communications:www:iscWebsiteAdministrators your assertion will contain iscWebsiteAdministrators. Your equivalent AWS role will also be called iscWebsiteAdministrators. We will use this as well as iscWebsiteViewers in our examples below.

Amazon Web Services logo

Make sure you installed the AWS CLI.

Decide up your level of trust for your SAML login. If you just want to verify Penn authentication, create a policy document file as follows, replacing 0123456789xx with your AWS account number, calling it assume_role_policy.txt:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::0123456789xx:saml-provider/PennWebLogin"
    },
    "Action": "sts:AssumeRoleWithSAML"
  }]
}

This inherently does not allow someone to actually access the AWS web console, it just allows someone to authenticate to AWS. Since AWS uses role based authentication, it will also require you to set up the correct roles that map to the grouper assertions (more below). If you'd like to further restrict access to e.g. staff and faculty, use the following policy document file (again assume_role_policy.txt, replacing 0123456789xx with your AWS account number):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::0123456789xx:saml-provider/PennWebLogin"
    },
    "Action": "sts:AssumeRoleWithSAML",
    "Condition": {
        "StringEquals": {
            "saml:aud": "https://signin.aws.amazon.com/saml"
        },
        "ForAnyValue:StringLike": {
            "saml:eduPersonAffiliation": ["faculty", "staff"] 
        }
    }}]
}

After the Penn Web Login team has configured the saml configuration for your account at AWS, you should have received a file called saml2-idp.net.isc.upenn.edu-metadata.txt. We now start by setting up the provider at your AWS account. Execute the following:

aws iam create-saml-provider --saml-metadata-document file://saml2-idp.net.isc.upenn.edu-metadata.txt --name PennWebLogin

We will now define two roles, one for administrators and one for viewers. Administrators have full access to the web console, web viewers can view everything but not consume any resources. We're going to use AWS predefined policies for this, but you can define your own policies. If you do that, the arns will be the equivalent ones that you've defined in your own account.

The two AWS policies with their arns we will be using are as follows:

AdministratorAccess: arn:aws:iam::aws:policy/AdministratorAccess
ReadOnlyAccess: arn:aws:iam::aws:policy/ReadOnlyAccess

Now we create the first role, using the assume_role_policy.txt file created earlier.

aws iam create-role --role-name iscWebsiteAdministrators --assume-role-policy-document file://assume_role_policy.txt

This will create an AWS role that is allowed the privelege AssumeRoleWithSAML. Please note this does not allow someone using the SAML login to do anything yet, since even though the person can assume the role we've just defined, the role has not yet an attached policy. We do that next:

aws iam attach-role-policy --role-name iscWebsiteAdministrators --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Once this is completed, any staff or faculty that is a member of the example penn:isc:communications:www:iscWebsiteAdministrators grouper group can now access the AWS console as a full administrator.

Doing the same for someone who can peruse but not consume any resources:

aws iam create-role --role-name iscWebsiteViewers --assume-role-policy-document file://assume_role_policy.txt
aws iam attach-role-policy --role-name iscWebsiteViewers --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

After this is completed, once again contact the Penn web login team, who will supply you with a URL that can be used to log on to tha AWS console. This is needed since AWS uses an IdP-initiated SSO workflow. Please see this web page for more details.

If you have any comments, questions or other observations, please contact me directly via email: vmic@isc.upenn.edu.