Skip to main content

Working with Web Identity Federation to Authenticate AWS Account Access for a Remote User

Hands-On Lab

 

Photo of Julie  Elkins

Julie Elkins

AWS Training Architect I in Content

Length

01:00:00

Difficulty

Advanced

In this hands-on lab, we will use the AWS Web Identity Federation Playground to examine the inner workings of the Web Identity Federation. After selecting an identity provider (Amazon), we will be able to view request and response headers, including access keys provided during web identity federation. The Web Identity Federation Playground will give us an in-depth look at the authentication and authorization taking place during Web Identity Federation. Additionally, students will be able to work through a real-world scenario, using a Python script to interact with the Web Identity Federation.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with Web Identity Federation to Authenticate AWS Account Access for a Remote User

In this hands-on lab, we will use the AWS Web Identity Federation Playground to examine the inner workings of the Web Identity Federation. Using Amazon, we will view both request and response headers, including access keys provided during web identity federation.

The Web Identity Federation Playground will give us an in-depth look at the authentication and authorization taking place during Web Identity Federation. To do this, we will be using python scripts.

Before We Begin

To get started, we need to log into the AWS portal using the provided credentials. We also need to open the provided links in separate tabs or windows and download our python script from GitHub. We also need to make sure that we have python installed on our terminal.

Create an EC2 Instance

To create an EC2 Instance, we need to perform the following:

  1. Navigate to the EC2 dashboard, and click Launch Instance.
  2. On the AMI page, select the Amazon Linux 2 AMI option.
  3. For the size, leave it as t2.micro, then click Next: Configure Instance Details.
  4. On the Configure Instance Details page set the Auto-assign Public IP value to Enable and leave the rest as the defaults.
  5. Select Next until you come to the Configure Security Group page.
  6. Select Review and Launch, and then Launch.
  7. In the key pair pop-up, from the first dropdown, select Create a new key pair.
  8. Give it a Key pair name of "webkeypair".
  9. Click Download Key Pair, and then Launch Instances.
  10. Click View Instances and give it a few minutes to enter the running state.

Authenticate User via Identity Provider

With our instance created and key pair downloaded, we need to authenticate our user via the identity provider. To do so, switch to the Web Identity Federation complete the following:

  1. In the Web Identity Federation Playground tab.
  2. Click Login with Amazon. You may need to use your own, or a 3rd party, log in.
  3. In the Response section, observe that it passes back an access_token.
  4. Click Proceed to Step 2.
  5. Click Call AssumeRoleWithWebIdentity.
  6. Click Proceed to Step 3.
  7. In the Action section, by the ListBucket dropdown, click Go.
  8. Now, click ListBucket, select GetObject in the dropdown, and click Go.

This completes the authentication process.

Web Identity Federation in the Real World

For the next part of the lab, we will be using a terminal.

  1. In the EC2 instance dashboard, click Connect at the top.
  2. In the Connect to Your Instance dialog, copy the chmod command.
  3. Open a terminal session and change to our downloads directory using the cd command, or wherever we saved our key pair.
  4. Check to make sure that the file is in this directory by using ls.

Install Python

To work with python, do the following:

  1. Update the packages:

    sudo yum update
  2. Check that python is downloaded to your terminal:

    python --version
  1. Install pip:

    python get-pip.py
  2. Install Boto 3:

    sudo pip install boto3
  3. Once we're in the correct directory, paste the chmod command you copied from the EC2 instance:

    chmod 400 webidfed.pem
  4. Log in to the instance via SSH using the command in the Connect to Your Instance code provided.

Run the Python script

Our final step is to run the python script. To do this, use the GitHub link provided with the lab credentials and complete the following:

  1. Open the originalWebFeb.py file.

  2. Select Raw to open the script.

  3. Open your preferred text editor and paste in the Python script into the text editor:

    import boto3
    
    client = boto3.client('sts')
    
    arn = 'arn:aws:iam:xxxxxxxxxxxx:role/WebIdFed_Amazon'
    session_name = 'web-identity-federation'
    token = '...'
    
    creds = client.assume_role_with_web_identity(
        RoleArn=arn,
        RoleSessionName=session_name,
        WebIdentityToken=token,
        ProviderId='www.amazon.com',
    )
    
    print creds['AssumedRoleUser']['Arn']
    print creds['AssumedRoleUser']['AssumedRoleId']
  4. Copy your access_token from the Web Identity Federation Playground page, and decode it on a site like URLdecoder.org.

  5. Copy the decoded token.

  6. Return to the text editor and paste in the decoded access token to the token part of the Python script, which looks like this: token = '...'

  7. Back on the Web Identity Federation Playground page, copy the Role Arn and replace the ARN section with the new Role Arn.

  8. In the terminal, create a new file:

    vim webfed.py
  9. Paste in the updated Python script.

  10. Hit Escape and then save and exit:

    :wq!
  11. Make the webfed.py executable:

    chmod +x webfed.py
  12. Run the file:

    python webfed.py

The ARN and the <AssumedRoleID> from the Response section of the Web Identity Federation Playground page appear, letting us know that we've completed the lab correctly.

Conclusion

Congratulations—you've completed the lab!