We are happy to consider third party services if said services make it easier for us System Administrators. Many Web services do integrate well with “G Suite” aka Google Apps, so it’s not a huge problem for Web services. For CLI apps it’s a problem because currently Google makes it almost impossible to authenticate from the CLI.
The problem we have currently is managing developer accounts on AWS. Currently we manually setup the user and assign permissions and send over the crucial AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY for developers to do their work. Instead we need temporary Security Credentials since keys might get misplaced or forgotten about. AWS Security Token Service (AWS STS) is Amazon’s answer to this problem.
Our own experiments configuring “Federation” with
sniffing with Chrome Dev Tools the SAML response from the browser, shows us it
is possible to create temporary AWS keys with
aws sts assume-role-with-saml,
but scripting Google’s login from the CLI is the challenge. It was working,
but then it broke.
Hopefully Google will realise it’s important for enterprises like ourselves to continue to use their G Suite directory service (aka Identity Provider) for these use cases. Google’s characteristic lack of support is certainly making this a challenge, but it’s nice to know we aren’t the only devops guys with the problem.
Devops at Spuul. Any tips or suggestions? Reach out!