Initial commit for shell script to add SAML integration to AWS account

internet2 · Oct 4, 2018 · b4a064d · b4a064d
1 parent b1b5c8a
commit b4a064d
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/create_saml_aws.sh b/create_saml_aws.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+echo \# run the following commands replacing name with the IDP name (if needed)
+echo
+echo aws iam create-saml-provider --saml-metadata-document file://login.at.internet2.edu-metadata.xml --name login.at.internet2.edu
+echo
+echo \# edit shibpolicy.json and replace the ARN with the ARN of the new account
+echo
+echo aws iam create-role --role-name administrator --assume-role-policy-document file://shibpolicy.json
+echo aws iam attach-role-policy --role-name administrator --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+echo aws iam create-role --role-name readonly --assume-role-policy-document file://shibpolicy.json
+echo aws iam attach-role-policy --role-name readonly --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
diff --git a/idp.xml b/idp.xml
diff --git a/shibpolicy.json b/shibpolicy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRoleWithSAML",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:saml-provider/login.at.internet2.edu"
+      },
+      "Condition": {
+        "StringEquals": {
+          "SAML:aud": "https://signin.aws.amazon.com/saml"
+        }
+      }
+    }
+  ]
+}