sudharsans/run.py

## run.py
# Quick test for https://stackoverflow.com/questions/49163883/sign-in-page-for-aws-federated-login/49212472#49212472
# Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
# python3 run.py

import urllib.parse,json
import requests # 'pip install requests'
from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'
from flask import Flask,redirect # pip install flask
app = Flask(__name__)

@app.route('/')
def hello_world():
	# Step 1: Authenticate user in your own identity system.

	# Step 2: Using the access keys for an IAM user in your AWS account,
	# call "AssumeRole" to get temporary access keys for the federated user

	# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
	# and secret access key of an IAM user or using existing temporary credentials.
	# The credentials can be in EC2 instance metadata, in environment variables,
	# or in a configuration file, and will be discovered automatically by the
	# STSConnection() function. For more information, see the Python SDK docs:
	# http://boto.readthedocs.org/en/latest/boto_config_tut.html
	sts_connection = STSConnection()

	assumed_role_object = sts_connection.assume_role(
	    role_arn="arn:aws:iam::<ACC_NO>:role/s3-role",
	    role_session_name="AssumeRoleSession"
	)

	# Step 3: Format resulting temporary credentials into JSON
	json_string_with_temp_credentials = '{'
	json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
	json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
	json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
	json_string_with_temp_credentials += '}'

	# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
	# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
	# as parameters.
	request_parameters = "?Action=getSigninToken"
	request_parameters += "&SessionDuration=43200"
	request_parameters += "&Session=" + urllib.parse.quote(json_string_with_temp_credentials)
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters
	r = requests.get(request_url)
	# Returns a JSON document with a single element named SigninToken.
	signin_token = json.loads(r.text)

	# Step 5: Create URL where users can use the sign-in token to sign in to
	# the console. This URL must be used within 15 minutes after the
	# sign-in token was issued.
	request_parameters = "?Action=login"
	request_parameters += "&Issuer=Example.org"
	request_parameters += "&Destination=" + urllib.parse.quote("https://console.aws.amazon.com/")
	request_parameters += "&SigninToken=" + signin_token["SigninToken"]
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters

	# Redirect URL
	return redirect(request_url, code=302)


if __name__ == '__main__':
    app.run()
	# Quick test for https://stackoverflow.com/questions/49163883/sign-in-page-for-aws-federated-login/49212472#49212472
	# Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
	# python3 run.py

	import urllib.parse,json
	import requests # 'pip install requests'
	from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'
	from flask import Flask,redirect # pip install flask
	app = Flask(__name__)

	@app.route('/')
	def hello_world():
	# Step 1: Authenticate user in your own identity system.

	# Step 2: Using the access keys for an IAM user in your AWS account,
	# call "AssumeRole" to get temporary access keys for the federated user

	# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
	# and secret access key of an IAM user or using existing temporary credentials.
	# The credentials can be in EC2 instance metadata, in environment variables,
	# or in a configuration file, and will be discovered automatically by the
	# STSConnection() function. For more information, see the Python SDK docs:
	# http://boto.readthedocs.org/en/latest/boto_config_tut.html
	sts_connection = STSConnection()

	assumed_role_object = sts_connection.assume_role(
	role_arn="arn:aws:iam::<ACC_NO>:role/s3-role",
	role_session_name="AssumeRoleSession"
	)

	# Step 3: Format resulting temporary credentials into JSON
	json_string_with_temp_credentials = '{'
	json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
	json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
	json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
	json_string_with_temp_credentials += '}'

	# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
	# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
	# as parameters.
	request_parameters = "?Action=getSigninToken"
	request_parameters += "&SessionDuration=43200"
	request_parameters += "&Session=" + urllib.parse.quote(json_string_with_temp_credentials)
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters
	r = requests.get(request_url)
	# Returns a JSON document with a single element named SigninToken.
	signin_token = json.loads(r.text)

	# Step 5: Create URL where users can use the sign-in token to sign in to
	# the console. This URL must be used within 15 minutes after the
	# sign-in token was issued.
	request_parameters = "?Action=login"
	request_parameters += "&Issuer=Example.org"
	request_parameters += "&Destination=" + urllib.parse.quote("https://console.aws.amazon.com/")
	request_parameters += "&SigninToken=" + signin_token["SigninToken"]
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters

	# Redirect URL
	return redirect(request_url, code=302)


	if __name__ == '__main__':
	app.run()