Access aws resources via boto3 APIs using Oauth authentication without using any security credentials (Access keys. )

Question

I want to run a cloud formation script without access keys by utilizing oauth. Like only the username and password, after given will execute the script that creates a role with necessary permissions to scan the account(get all bucket details). How to do? Consider two accounts production and mine. I can't do anything on production account except the username, password oauth thing and creating a role. I need instructions on how to achieve this and also the cloud formation script to automate the above task if possible.

Answer

I take it you want to run the CloudFormaton template from the command-line then.  You can do this with either the CLI or one of the SDKs like Boto3.

There are a number of earlier steps to carry out. Firstly, if you want to authenticate using OAUTH, you need to configure and setup the AWS IAM Identity Center OpenID Connect (OIDC) Service. This will allow the CLI (or an application that you wrote to invoke your CloudFormation Template) register with the Identity Center, and fetch an access token on sucessful authentication.

You can read how to setup this here: [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).

To learn how to use the CLI for instance, with the Identity Center - you can read this: https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html

To work with CloudFormation using the AWS CLI is documented here: [Using the AWS Command Line Interface](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-cli.html)

Access aws resources via boto3 APIs using Oauth authentication without using any security credentials (Access keys. )

相關內容