Video streaming devops blog

G Suite CLI authentication

Google Apps AWS Security Token Service (STS)

We are happy to consider third party services if said services make it easier for us System Administrators. Many Web services do integrate well with “G Suite” aka Google Apps, so it’s not a huge problem for Web services. For CLI apps it’s a problem because currently Google makes it almost impossible to authenticate from the CLI.

The problem we have currently is managing developer accounts on AWS. Currently we manually setup the user and assign permissions and send over the crucial AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY for developers to do their work. Instead we need temporary Security Credentials since keys might get misplaced or forgotten about. AWS Security Token Service (AWS STS) is Amazon’s answer to this problem.

Our own experiments configuring “Federation” with SAML and sniffing with Chrome Dev Tools the SAML response from the browser, shows us it is possible to create temporary AWS keys with aws sts assume-role-with-saml, but scripting Google’s login from the CLI is the challenge. It was working, but then it broke.

Hopefully Google will realise it’s important for enterprises like ourselves to continue to use their G Suite directory service (aka Identity Provider) for these use cases. Google’s characteristic lack of support is certainly making this a challenge, but it’s nice to know we aren’t the only devops guys with the problem.

Posted 2016-10-03
Page history

Devops at Spuul. Any tips or suggestions? Reach out!