Hi!
I’m trying to implement the approach documented here:
And I have authentication set up and mostly working - I get AWS credentials back to my JS app. However, the credentials have an expiry set as the same time as when delegation call was made, which renders them unusable. I have tried setting the rule as follows, to try and control the lifetime, but it had no effect:
function (user, context, callback) {
if (context.protocol === 'delegation') {
// set AWS settings
user.awsRoles = "arn:aws:iam::snip:saml-provider/our-auth0,arn:aws:iam::snip:role/some-default-role"];
if(user.aws_roles) {
for(var i=0; i<user.aws_roles.length; i++) {
var role = user.aws_roles*;
for(var j=0; j<role.roles.length; j++) {
user.awsRoles.push("arn:aws:iam::" + role.account + ":saml-provider/our-auth0,arn:aws:iam::" + role.account + ":role/some-" + role.roles[j]);
}
}
}
context.addonConfiguration = context.addonConfiguration || {};
context.addonConfiguration.aws = context.addonConfiguration.aws || {};
context.addonConfiguration.aws.principal = 'arn:aws:iam::snip:saml-provider/our-auth0';
context.addonConfiguration.aws.role = 'arn:aws:iam::snip:role/some-default-role';
context.addonConfiguration.aws.mappings = {
'https://aws.amazon.com/SAML/Attributes/Role': 'awsRoles',
'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'email',
'https://aws.amazon.com/SAML/Attributes/SessionDuration': '43200'
};
}
callback(null, user, context);
}
We use a similar approach for AWS console login, and it works great. We have a list of permitted accounts and roles stored per user, and add those dynamically. In the console SAML approach AWS presents a list of roles when logging in, is it possible to specify which of the permitted roles I want to use via the Auth0 JS API? Like this?
var options = {
id_token: result.idToken,
api: 'aws',
role: ROLE_CHOSEN_BY_USER,
principal: ARN_TO_ACCOUNT_PRINCIPAL
};
auth0.getDelegationToken(options, function (err, delegationResult) {
console.log(err);
$('#result').append(JSON.stringify(delegationResult.Credentials, null, '\t'));
});
My thanks in advance for any help you can provide!*