Skip to main content

Using Web Identity Federation to Authenticate AWS Account Access for a Remote User

Hands-On Lab

 

Photo of Craig Arcuri

Craig Arcuri

AWS Training Architect II in Content

Length

00:30:00

Difficulty

Advanced

This Learning Activity uses the AWS Web Identity Federation Playground to examine the inner workings of Web Identity Federation. After selecting an identity provider (Amazon), students will be able to view request and response headers, including access keys provided during web identity federation. The Web Identity Federation Playground will give students an in-depth look at the authentication and authorization taking place during Web Identity Federation. Additionally, students will be able to work through a real-world scenario, using a Python script to interact with Web Identity Federation.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using Web Identity Federation to Authenticate AWS Account Access for a Remote User

Introduction

This hands-on lab uses the AWS Web Identity Federation Playground to examine the inner workings of Web Identity Federation.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab. Use the credentials provided on the main lab page.

In a second browser window or tab, navigate to the Web Identity Federation Playground.

In yet another browser window or tab, download the Python script.

Right-click the file named originalWebFed.py and click Save as to save the file locally.

Create an EC2 Instance

  1. Navigate to the EC2 dashboard, and click Launch Instance.
  2. On the AMI page, select the Amazon Linux 2 AMI.
  3. Leave t2.micro selected, and click Next: Configure Instance Details.
  4. On the Configure Instance Details page, set the following value:
    • Auto-assign Public IP: Enable
  5. Click Review and Launch, and then Launch.
  6. In the key pair pop-up, select Create a new key pair.
  7. Give it a Key pair name of "webidfed".
  8. Click Download Key Pair, and then Launch Instances.
  9. Click View Instances, and give it a few minutes to enter the running state.

Authenticate User via Identity Provider

  1. In the Web Identity Federation Playground, click Login with Amazon. You may need to use your own 3rd party log on for the test.
  2. In the Response section, observe that it passes back an access_token.
  3. Click Proceed to Step 2.
  4. Click Call AssumeRoleWithWebIdentity.
  5. Click Proceed to Step 3.
  6. In the Action section, by the ListBucket dropdown, click Go.
  7. Now, click ListBucket, select GetObject in the dropdown, and click Go.

Web Identity Federation in the Real World

  1. Get a new token in the Web Identity Federation Playground.

  2. In the EC2 instance dashboard, click Connect at the top.

  3. In the Connect to Your Instance dialog, copy the chmod command.

  4. Open a terminal session and change to your downloads directory (using the cd command), or wherever your key pair saved earlier.

  5. Paste the chmod command:

    chmod 400 webidfed.pem
  6. Log in to the instance via SSH using the command in the Connect to Your Instance dialog.

Install Python

  1. Update packages:

    sudo yum update
  2. Make sure you have Python:

    python --version
  3. Install pip:

    sudo easy_install pip
  4. Install Boto 3:

    sudo pip install boto3

Run the Python Script

  1. Open a text editor and paste in the Python script you downloaded earlier:

    import boto3
    
    client = boto3.client('sts')
    
    arn = 'arn:aws:iam:xxxxxxxxxxxx:role/WebIdFed_Amazon'
    session_name = 'web-identity-federation'
    token = '...'
    
    creds = client.assume_role_with_web_identity(
        RoleArn=arn,
        RoleSessionName=session_name,
        WebIdentityToken=token,
        ProviderId='www.amazon.com',
    )
    
    print creds['AssumedRoleUser']['Arn']
    print creds['AssumedRoleUser']['AssumedRoleId']
  2. Copy your access_token from the Web Identity Federation Playground page, and decode it on a site like URLdecoder.org.

  3. Paste in the decoded access token to the token part of the Python script.

  4. Replace the ARN with yours.

  5. In the terminal, create a new file:

    vim webfed.py
  6. Paste in the Python script.

  7. Hit Escape and then save and exit:

    :wq!
  8. Make it executable:

    chmod +x webfed.py
  9. Run it:

    python webfed.py

Conclusion

Congratulations on completing this hands-on lab!