├── .github └── workflows │ └── release.yaml ├── LICENSE ├── README.md └── src └── assume-aws-role ├── FAQS.md ├── NOTES.md ├── README.md ├── devcontainer-feature.json └── install.sh /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: "Release dev container features & Generate Documentation" 2 | on: 3 | workflow_dispatch: 4 | 5 | jobs: 6 | deploy: 7 | if: ${{ github.ref == 'refs/heads/main' }} 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v2 11 | 12 | - name: "Publish Features" 13 | uses: devcontainers/action@v1 14 | with: 15 | publish-features: "true" 16 | base-path-to-features: "./src" 17 | generate-docs: "true" 18 | 19 | env: 20 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 21 | 22 | - name: Create PR for Documentation 23 | id: push_image_info 24 | env: 25 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 26 | run: | 27 | set -e 28 | echo "Start." 29 | # Configure git and Push updates 30 | git config --global user.email github-actions@github.com 31 | git config --global user.name github-actions 32 | git config pull.rebase false 33 | branch=automated-documentation-update-$GITHUB_RUN_ID 34 | git checkout -b $branch 35 | message='Automated documentation update' 36 | # Add / update and commit 37 | git add */**/README.md 38 | git commit -m 'Automated documentation update [skip ci]' || export NO_UPDATES=true 39 | # Push 40 | if [ "$NO_UPDATES" != "true" ] ; then 41 | git push origin "$branch" 42 | gh pr create --title "$message" --body "$message" 43 | fi 44 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | Copyright 2022 Scaffoldly LLC 177 | 178 | Licensed under the Apache License, Version 2.0 (the "License"); 179 | you may not use this file except in compliance with the License. 180 | You may obtain a copy of the License at 181 | 182 | http://www.apache.org/licenses/LICENSE-2.0 183 | 184 | Unless required by applicable law or agreed to in writing, software 185 | distributed under the License is distributed on an "AS IS" BASIS, 186 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 187 | See the License for the specific language governing permissions and 188 | limitations under the License. 189 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SAML.to Development Container Features 2 | 3 | ## Contents 4 | 5 | This repository contains a collection of features which leverage [SAML.to](https://saml.to) for [Development Containers](https://containers.dev). Click on the following links for documentation of each feature. 6 | 7 | - [assume-aws-role](src/assume-aws-role/README.md) 8 | - Allows assumption of AWS IAM Roles within Development Containers 9 | 10 | ## Maintainers 11 | 12 | - [Scaffoldly](https://github.com/scaffoldly) 13 | - [cnuss](https://github.com/cnuss) 14 | 15 | ## License 16 | 17 | [Apache-2.0 License](LICENSE) 18 | 19 | ![](https://sso.saml.to/github/px?devcontainer) 20 | -------------------------------------------------------------------------------- /src/assume-aws-role/FAQS.md: -------------------------------------------------------------------------------- 1 | # Frequently Asked Questions 2 | 3 | Have a question? Please [Create an Issue](https://github.com/saml-to/devcontainer-features/issues) or [Start a Discussion](https://github.com/saml-to/devcontainer-features/discussions). 4 | 5 | ## Can Roles be Assumed be used in GitHub Actions? 6 | 7 | Yes! Use our [assume-aws-role-action](https://github.com/saml-to/assume-aws-role-action). 8 | 9 | ## Can Roles be Assumed outside of Codespaces? 10 | 11 | Yes! Use our [GitHub App](https://github.com/apps/saml-to) in conjunction with our [CLI](https://github.com/saml-to/cli). 12 | 13 | ## I get an error that "Multiple Roles Match" a given Role... 14 | 15 | Find your organization's `saml-to.yml`. You'll likely find that the same Role ARN is defined twice: 16 | 17 | ```yaml 18 | # ...snip... 19 | permissions: 20 | aws: 21 | roles: 22 | - name: arn:aws:iam::123456789012:role/some-role 23 | users: 24 | github: 25 | - some-user 26 | another-aws: # the desired provider 27 | roles: 28 | - name: arn:aws:iam::123456789012:role/some-role 29 | users: 30 | github: 31 | - another-user 32 | ``` 33 | 34 | Update your `devcontainer.json` to explicitly specify which provider to use: 35 | 36 | ### Usage in `devcontainer.json` 37 | 38 | ```json 39 | "features": { 40 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": { 41 | "role": "arn:aws:iam::123456789012:role/some-role", 42 | "provider": "another-aws" // matches "the desired provider" 43 | } 44 | } 45 | ``` 46 | -------------------------------------------------------------------------------- /src/assume-aws-role/NOTES.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | This Devcontainer Feature enables GitHub Codespaces to obtain AWS Access Credentials for a desired IAM Role using **AWS IAM SAML** and a **GitHub Actions Repository Token**. 4 | 5 | Benefits: 6 | 7 | - No need to copy/paste AWS Access Tokens into Codespaces Secrets 8 | - No need to rotate AWS Access Tokens 9 | 10 | This action uses [SAML.to](https://saml.to) and an [AWS IAM Identity Provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) to exchange the [Codespace User's GitHub Token](https://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespaces#authentication) for AWS Access Credentials. 11 | 12 | This feature will store and rotate AWS credentials for the Devcontainer in: 13 | 14 | - `/home/codespace/.aws/credentials` 15 | - `/home/codespace/.aws/config` 16 | 17 | ### Usage in `devcontainer.json` 18 | 19 | ```json 20 | "features": { 21 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": { 22 | "role": "arn:aws:iam::123456789012:role/some-role" 23 | } 24 | } 25 | ``` 26 | 27 | ## Usage 28 | 29 | 1. Follow the [Installation](#installation) instructions 30 | 1. [Launch the Devcontainer](#step-2-add-the-feature-to-devcontainerjson) using GitHub Codespaces 31 | 1. The `assume-aws-role` feature will automatically create and update: 32 | - `/home/codespace/.aws/credentials` 33 | - `/home/codespace/.aws/config` 34 | - When: 35 | - When first connecting to a codespace 36 | - Before the credentials expire (every ~30 minutes) 37 | 38 | #### With the AWS CLI 39 | 40 | Within a Terminal of Codespaces, you can: 41 | 42 | - `aws sts get-caller-identity`: Show which role is assumed 43 | - `aws s3 cp ...`: For example, if the role is granted S3 Access 44 | - `aws ec2 describe-instances`: For example, if the role is granted EC2 Access 45 | 46 | #### Within an Application 47 | 48 | If Codespaces launches an Application (Python, Node, etc.) the AWS SDK installed ([boto3](https://pypi.org/project/boto3/), [@aws-sdk](https://www.npmjs.com/package/aws-sdk), etc) is configured to read credentials from `~/.aws/credentials`. 49 | 50 | In Python (or even a [Jupyter Notebook](https://github.com/github/codespaces-jupyter) codespace!), for example: 51 | 52 | ```bash 53 | pip install boto3 54 | ``` 55 | 56 | ```python 57 | import boto3 58 | 59 | sts = boto3.client('sts') 60 | s3 = boto3.client('s3') 61 | 62 | print(sts.get_caller_identity()) 63 | print(s3.list_buckets()) 64 | ``` 65 | 66 | ## Installation 67 | 68 | ### Step 1: Configure AWS 69 | 70 | 1. [Download Your Metadata](https://saml.to/metadata) from SAML.to 71 | 1. If you haven't already, create a new **SAML** [Identity Provider](https://console.aws.amazon.com/iamv2/home?#/identity_providers/create) in AWS IAM 72 | 1. **Provider Name**: _saml.to_ 73 | 1. **Metadata Document**: _Upload the **IdP Metadata** from [SAML.to](https://saml.to/metadata)_ 74 | 1. Make note of the **`Provder ARN`** in the AWS console 75 | 1. [Create or Edit an IAM Role](https://console.aws.amazon.com/iamv2/home?#/roles). Set the [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) on a the Role to contain the following statement: 76 | 77 | ``` 78 | { 79 | "Version": "2012-10-17", 80 | "Statement": [ 81 | { 82 | "Effect": "Allow", 83 | "Principal": { 84 | "Federated": "PROVIDER_ARN" 85 | }, 86 | "Action": "sts:AssumeRoleWithSAML", 87 | "Condition": { 88 | "StringEquals": { 89 | "SAML:aud": "https://signin.aws.amazon.com/saml" 90 | } 91 | } 92 | } 93 | ] 94 | } 95 | ``` 96 | 97 | - Replace `PROVIDER_ARN` with the newly created ARN of the provider, e.g. `arn:aws:iam::123456789012:saml-provider/saml.to` 98 | - Make note of the **`Role ARN`** for this Role 99 | 100 | 1. Add a new file named _`saml-to.yml`_ to the Codespaces Repository: 101 | 102 | `your-codespaces-repository/saml-to.yml`: 103 | 104 | ``` 105 | --- 106 | version: "20220101" 107 | providers: 108 | aws: 109 | entityId: https://signin.aws.amazon.com/saml 110 | acsUrl: https://signin.aws.amazon.com/saml 111 | attributes: 112 | https://aws.amazon.com/SAML/Attributes/RoleSessionName: "<#= repo.name #>" 113 | https://aws.amazon.com/SAML/Attributes/SessionDuration: "3600" 114 | https://aws.amazon.com/SAML/Attributes/Role: "<#= system.selectedRole #>,<#= provider.variables.providerArn #>" 115 | permissions: 116 | aws: 117 | roles: 118 | - name: ROLE_ARN # Change this 119 | provider: 120 | variables: 121 | providerArn: PROVIDER_ARN # Change this 122 | users: 123 | github: 124 | - YOUR_GITHUB_USERNAME # Change this 125 | ``` 126 | 127 | - Replace `PROVIDER_ARN` with the ARN of the provider created above (e.g. `arn:aws:iam::123456689012:saml-provider/my-repository`) 128 | - Replace `ROLE_ARN` with the ARN of the IAM Role modified above. (e.g. `arn:aws:iam::123456689012:role/admin`) 129 | - Replace `YOUR_GITHUB_USERNAME` with your GitHub User ID (e.g. `octokat`) 130 | - _Optional_: List any additional Github User IDs that may need this Codespace and Role 131 | 132 | 1. **Commit and Push** the changes to `saml-to.yml` to the **Default Branch** of the Codespaces Repository. 133 | 134 | ### Step 2: Add the Feature to `devcontainer.json` 135 | 136 | 1. Modify [`.devcontainer.json`](https://code.visualstudio.com/docs/devcontainers/create-dev-container) to add a `feature` which will setup the AWS Role: 137 | 138 | `your-repository/.devcontainer/devcontainer.json` or `your-repository/.devcontainer.json`: 139 | 140 | ``` 141 | { 142 | ... other devcontainer.json configuration ... 143 | 144 | "features": { 145 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": { 146 | "role": "ROLE_ARN" 147 | }, 148 | "ghcr.io/devcontainers/features/aws-cli:1": {} 149 | } 150 | } 151 | ``` 152 | 153 | - Replace `ROLE_ARN` with the ARN of the IAM Role modified above. (e.g. `arn:aws:iam::123456689012:role/admin`) 154 | - _Note_: If installing `aws` CLI is not desired, remove `"ghcr.io/devcontainers/features/aws-cli:1": {}` 155 | 156 | 1. Rebuild the Container or Restart the Codespace to enable the Feature 157 | 158 | ### Changing the Default Region 159 | 160 | Add the `region` option to the `assume-aws-role` feature: 161 | 162 | `your-repository/.devcontainer/devcontainer.json` or `your-repository/.devcontainer.json`: 163 | 164 | ``` 165 | { 166 | ... other devcontainer.json configuration ... 167 | 168 | "features": { 169 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:1": { 170 | "role": "ROLE_ARN", 171 | "region": "us-west-2" 172 | }, 173 | "ghcr.io/devcontainers/features/aws-cli:1": {} 174 | } 175 | } 176 | ``` 177 | 178 | ## FAQs 179 | 180 | See [FAQs](FAQS.md) 181 | 182 | ## Maintainers 183 | 184 | - [Scaffoldly](https://github.com/scaffoldly) 185 | - [cnuss](https://github.com/cnuss) 186 | 187 | ## Help & Support 188 | 189 | - [Message us on Gitter](https://gitter.im/saml-to/devcontainer-features) 190 | - [Support via Twitter](https://twitter.com/SamlToSupport) 191 | - [Discussions](https://github.com/saml-to/devcontainer-features/discussions) 192 | - [Issues](https://github.com/saml-to/devcontainer-features/issues) 193 | 194 | ![](https://sso.saml.to/github/px?devcontainer-aws-assume-role) 195 | -------------------------------------------------------------------------------- /src/assume-aws-role/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Assume AWS Role (assume-aws-role) 3 | 4 | Assume an AWS role using SAML.to 5 | 6 | ## Example Usage 7 | 8 | ```json 9 | "features": { 10 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": {} 11 | } 12 | ``` 13 | 14 | ## Options 15 | 16 | | Options Id | Description | Type | Default Value | 17 | |-----|-----|-----|-----| 18 | | role | (Optional) The AWS Role Name (or ARN). If specified, role prompts will be skipped. | string | - | 19 | | profile | (Optional) The AWS Profile (in `~/.aws) to set. | string | default | 20 | | region | (Optional) The AWS region (in `~/.aws/config) to set. | string | us-east-1 | 21 | | org | (Optional) The GitHub user/organization for which to use a `saml-to.yml`. | string | - | 22 | | provider | (Optional) The Provider Key in the user/organization's `saml-to.yml`. | string | - | 23 | 24 | ## Customizations 25 | 26 | ### VS Code Extensions 27 | 28 | - `saml-to.saml-to-vscode` 29 | 30 | ## Overview 31 | 32 | This Devcontainer Feature enables GitHub Codespaces to obtain AWS Access Credentials for a desired IAM Role using **AWS IAM SAML** and a **GitHub Actions Repository Token**. 33 | 34 | Benefits: 35 | 36 | - No need to copy/paste AWS Access Tokens into Codespaces Secrets 37 | - No need to rotate AWS Access Tokens 38 | 39 | This action uses [SAML.to](https://saml.to) and an [AWS IAM Identity Provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) to exchange the [Codespace User's GitHub Token](https://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespaces#authentication) for AWS Access Credentials. 40 | 41 | This feature will store and rotate AWS credentials for the Devcontainer in: 42 | 43 | - `/home/codespace/.aws/credentials` 44 | - `/home/codespace/.aws/config` 45 | 46 | ### Usage in `devcontainer.json` 47 | 48 | ```json 49 | "features": { 50 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": { 51 | "role": "arn:aws:iam::123456789012:role/some-role" 52 | } 53 | } 54 | ``` 55 | 56 | ## Usage 57 | 58 | 1. Follow the [Installation](#installation) instructions 59 | 1. [Launch the Devcontainer](#step-2-add-the-feature-to-devcontainerjson) using GitHub Codespaces 60 | 1. The `assume-aws-role` feature will automatically create and update: 61 | - `/home/codespace/.aws/credentials` 62 | - `/home/codespace/.aws/config` 63 | - When: 64 | - When first connecting to a codespace 65 | - Before the credentials expire (every ~30 minutes) 66 | 67 | #### With the AWS CLI 68 | 69 | Within a Terminal of Codespaces, you can: 70 | 71 | - `aws sts get-caller-identity`: Show which role is assumed 72 | - `aws s3 cp ...`: For example, if the role is granted S3 Access 73 | - `aws ec2 describe-instances`: For example, if the role is granted EC2 Access 74 | 75 | #### Within an Application 76 | 77 | If Codespaces launches an Application (Python, Node, etc.) the AWS SDK installed ([boto3](https://pypi.org/project/boto3/), [@aws-sdk](https://www.npmjs.com/package/aws-sdk), etc) is configured to read credentials from `~/.aws/credentials`. 78 | 79 | In Python (or even a [Jupyter Notebook](https://github.com/github/codespaces-jupyter) codespace!), for example: 80 | 81 | ```bash 82 | pip install boto3 83 | ``` 84 | 85 | ```python 86 | import boto3 87 | 88 | sts = boto3.client('sts') 89 | s3 = boto3.client('s3') 90 | 91 | print(sts.get_caller_identity()) 92 | print(s3.list_buckets()) 93 | ``` 94 | 95 | ## Installation 96 | 97 | ### Step 1: Configure AWS 98 | 99 | 1. [Download Your Metadata](https://saml.to/metadata) from SAML.to 100 | 1. If you haven't already, create a new **SAML** [Identity Provider](https://console.aws.amazon.com/iamv2/home?#/identity_providers/create) in AWS IAM 101 | 1. **Provider Name**: _saml.to_ 102 | 1. **Metadata Document**: _Upload the **IdP Metadata** from [SAML.to](https://saml.to/metadata)_ 103 | 1. Make note of the **`Provder ARN`** in the AWS console 104 | 1. [Create or Edit an IAM Role](https://console.aws.amazon.com/iamv2/home?#/roles). Set the [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) on a the Role to contain the following statement: 105 | 106 | ``` 107 | { 108 | "Version": "2012-10-17", 109 | "Statement": [ 110 | { 111 | "Effect": "Allow", 112 | "Principal": { 113 | "Federated": "PROVIDER_ARN" 114 | }, 115 | "Action": "sts:AssumeRoleWithSAML", 116 | "Condition": { 117 | "StringEquals": { 118 | "SAML:aud": "https://signin.aws.amazon.com/saml" 119 | } 120 | } 121 | } 122 | ] 123 | } 124 | ``` 125 | 126 | - Replace `PROVIDER_ARN` with the newly created ARN of the provider, e.g. `arn:aws:iam::123456789012:saml-provider/saml.to` 127 | - Make note of the **`Role ARN`** for this Role 128 | 129 | 1. Add a new file named _`saml-to.yml`_ to the Codespaces Repository: 130 | 131 | `your-codespaces-repository/saml-to.yml`: 132 | 133 | ``` 134 | --- 135 | version: "20220101" 136 | providers: 137 | aws: 138 | entityId: https://signin.aws.amazon.com/saml 139 | acsUrl: https://signin.aws.amazon.com/saml 140 | attributes: 141 | https://aws.amazon.com/SAML/Attributes/RoleSessionName: "<#= repo.name #>" 142 | https://aws.amazon.com/SAML/Attributes/SessionDuration: "3600" 143 | https://aws.amazon.com/SAML/Attributes/Role: "<#= system.selectedRole #>,<#= provider.variables.providerArn #>" 144 | permissions: 145 | aws: 146 | roles: 147 | - name: ROLE_ARN # Change this 148 | provider: 149 | variables: 150 | providerArn: PROVIDER_ARN # Change this 151 | users: 152 | github: 153 | - YOUR_GITHUB_USERNAME # Change this 154 | ``` 155 | 156 | - Replace `PROVIDER_ARN` with the ARN of the provider created above (e.g. `arn:aws:iam::123456689012:saml-provider/my-repository`) 157 | - Replace `ROLE_ARN` with the ARN of the IAM Role modified above. (e.g. `arn:aws:iam::123456689012:role/admin`) 158 | - Replace `YOUR_GITHUB_USERNAME` with your GitHub User ID (e.g. `octokat`) 159 | - _Optional_: List any additional Github User IDs that may need this Codespace and Role 160 | 161 | 1. **Commit and Push** the changes to `saml-to.yml` to the **Default Branch** of the Codespaces Repository. 162 | 163 | ### Step 2: Add the Feature to `devcontainer.json` 164 | 165 | 1. Modify [`.devcontainer.json`](https://code.visualstudio.com/docs/devcontainers/create-dev-container) to add a `feature` which will setup the AWS Role: 166 | 167 | `your-repository/.devcontainer/devcontainer.json` or `your-repository/.devcontainer.json`: 168 | 169 | ``` 170 | { 171 | ... other devcontainer.json configuration ... 172 | 173 | "features": { 174 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:2": { 175 | "role": "ROLE_ARN" 176 | }, 177 | "ghcr.io/devcontainers/features/aws-cli:1": {} 178 | } 179 | } 180 | ``` 181 | 182 | - Replace `ROLE_ARN` with the ARN of the IAM Role modified above. (e.g. `arn:aws:iam::123456689012:role/admin`) 183 | - _Note_: If installing `aws` CLI is not desired, remove `"ghcr.io/devcontainers/features/aws-cli:1": {}` 184 | 185 | 1. Rebuild the Container or Restart the Codespace to enable the Feature 186 | 187 | ### Changing the Default Region 188 | 189 | Add the `region` option to the `assume-aws-role` feature: 190 | 191 | `your-repository/.devcontainer/devcontainer.json` or `your-repository/.devcontainer.json`: 192 | 193 | ``` 194 | { 195 | ... other devcontainer.json configuration ... 196 | 197 | "features": { 198 | "ghcr.io/saml-to/devcontainer-features/assume-aws-role:1": { 199 | "role": "ROLE_ARN", 200 | "region": "us-west-2" 201 | }, 202 | "ghcr.io/devcontainers/features/aws-cli:1": {} 203 | } 204 | } 205 | ``` 206 | 207 | ## FAQs 208 | 209 | See [FAQs](FAQS.md) 210 | 211 | ## Maintainers 212 | 213 | - [Scaffoldly](https://github.com/scaffoldly) 214 | - [cnuss](https://github.com/cnuss) 215 | 216 | ## Help & Support 217 | 218 | - [Message us on Gitter](https://gitter.im/saml-to/devcontainer-features) 219 | - [Support via Twitter](https://twitter.com/SamlToSupport) 220 | - [Discussions](https://github.com/saml-to/devcontainer-features/discussions) 221 | - [Issues](https://github.com/saml-to/devcontainer-features/issues) 222 | 223 | ![](https://sso.saml.to/github/px?devcontainer-aws-assume-role) 224 | 225 | 226 | --- 227 | 228 | _Note: This file was auto-generated from the [devcontainer-feature.json](https://github.com/saml-to/devcontainer-features/blob/main/src/assume-aws-role/devcontainer-feature.json). Add additional notes to a `NOTES.md`._ 229 | -------------------------------------------------------------------------------- /src/assume-aws-role/devcontainer-feature.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Assume AWS Role", 3 | "id": "assume-aws-role", 4 | "version": "2.0.1", 5 | "description": "Assume an AWS role using SAML.to", 6 | "customizations": { 7 | "vscode": { 8 | "extensions": ["saml-to.saml-to-vscode"] 9 | } 10 | }, 11 | "options": { 12 | "role": { 13 | "type": "string", 14 | "description": "(Optional) The AWS Role Name (or ARN). If specified, role prompts will be skipped.", 15 | "default": "" 16 | }, 17 | "profile": { 18 | "type": "string", 19 | "description": "(Optional) The AWS Profile (in `~/.aws) to set.", 20 | "default": "default" 21 | }, 22 | "region": { 23 | "type": "string", 24 | "description": "(Optional) The AWS region (in `~/.aws/config) to set.", 25 | "default": "us-east-1" 26 | }, 27 | "org": { 28 | "type": "string", 29 | "description": "(Optional) The GitHub user/organization for which to use a `saml-to.yml`.", 30 | "default": "" 31 | }, 32 | "provider": { 33 | "type": "string", 34 | "description": "(Optional) The Provider Key in the user/organization's `saml-to.yml`.", 35 | "default": "" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/assume-aws-role/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | echo "Setting up AWS credentials..." 5 | 6 | # TODO Install saml-to CLI 7 | 8 | mkdir -p /etc/saml-to/aws 9 | chmod -R +r /etc/saml-to 10 | 11 | if [ -n "${ORG}" ]; then 12 | echo "${ORG}" > /etc/saml-to/org 13 | chmod +r /etc/saml-to/org 14 | fi 15 | 16 | if [ -n "${PROVIDER}" ]; then 17 | echo "${PROVIDER}" > /etc/saml-to/provider 18 | chmod +r /etc/saml-to/provider 19 | fi 20 | 21 | if [ -n "${ROLE}" ]; then 22 | echo "${ROLE}" > /etc/saml-to/aws/role 23 | chmod +r /etc/saml-to/aws/role 24 | fi 25 | 26 | if [ -z "${REGION}" ]; then 27 | REGION="us-east-1" 28 | fi 29 | echo "${REGION}" > /etc/saml-to/aws/region 30 | chmod +r /etc/saml-to/aws/region 31 | 32 | if [ -z "${PROFILE}" ]; then 33 | PROFILE="default" 34 | fi 35 | echo "${PROFILE}" > /etc/saml-to/aws/profile 36 | chmod +r /etc/saml-to/aws/profile 37 | --------------------------------------------------------------------------------