Working on issue awslabs#14 - support for building roles with direct federation

Nick Hawkins · Nick Hawkins · commit a47d1cffb4d8 · 2018-11-10T12:52:00.000-08:00
diff --git a/bin/iam_template_build.py b/bin/iam_template_build.py
@@ -82,7 +82,7 @@ def policy_document_from_jinja(c, policy_name, model):
     return(template_json)
 
 
-def build_role_trust(c, trusts):
+def build_role_trust(c, trusts, SamlDirect=False):
     policy = {
         "Version":  "2012-10-17",
         "Statement": [],
@@ -124,14 +124,23 @@ def build_role_trust(c, trusts):
             aws_principals.append(
                 GetAtt(scrub_name("{}Role".format(trust)), "Arn")
             )
-        # Next see if we match our SAML trust.
+        # Next see if we match our SAML trust if saml_direct: False
         elif trust == c.saml_provider:
             saml_principals.append(
                 "arn:aws:iam::"
                 + c.parent_account_id
                 + ":saml-provider/"
                 + c.saml_provider
             )
+        # Check if this is a SAML Direct config (if saml_direct: True)
+        elif SamlDirect:
+            saml_principals.append(
+                "arn:aws:iam::"
+                + c.current_account_id
+                + ":saml-provider/"
+                + trust
+            )
+
         # See if we match a user or role ARN Principal
         elif re.match("arn:aws:iam::\d{12}:(user|role)/.*?", trust) or \
                 re.match("arn:aws:sts::\d{12}:assumed-role/.*?/.*?", trust):
@@ -360,11 +369,11 @@ def create_instance_profile(c, RoleName, model, named=False):
         ])
 
 
-def add_role(c, RoleName, model, named=False):
+def add_role(c, RoleName, model, named=False, SamlDirect=False ):
     cfn_name = scrub_name(RoleName + "Role")
     kw_args = {
         "Path": "/",
-        "AssumeRolePolicyDocument": build_role_trust(c, model['trusts']),
+        "AssumeRolePolicyDocument": build_role_trust(c, model['trusts'], SamlDirect),
         "ManagedPolicyArns": [],
         "Policies": []
     }
@@ -499,7 +508,8 @@ def add_user(c, UserName, model, named=False):
             "users": True,
             "groups": True
         },
-        "template_outputs": "enabled"
+        "template_outputs": "enabled",
+        "saml_direct": False
     }
 
 # Policies
@@ -540,19 +550,32 @@ def add_user(c, UserName, model, named=False):
             )
 
 # Roles
+
+
+
 if "roles" in c.config:
+    # first check if this is a saml_direct config - we do it this way instead of c.config["global"]["saml_direct"] so that existing configs (pre saml_direct support) will work without error
+    saml_direct = False
+    try:
+        if c.config['global']['saml_direct'] is True:
+            saml_direct = True
+    except Exception:
+        pass
+
     for role_name in c.config["roles"]:
         context = ["all"]
         if "in_accounts" in c.config["roles"][role_name]:
             context = c.config["roles"][role_name]["in_accounts"]
 
         for account in c.search_accounts(context):
             c.current_account = account
+            c.current_account_id = str(c.config['accounts'][account]['id'])
             add_role(
                 c,
                 role_name,
                 c.config["roles"][role_name],
-                c.config["global"]["names"]["roles"]
+                c.config["global"]["names"]["roles"],
+                saml_direct
             )
 
             # See if we need to add an instance profile too with an ec2 trust.
diff --git a/bin/lib/config_helper.py b/bin/lib/config_helper.py
@@ -37,8 +37,15 @@ def __init__(self, config_file):
         self.account_map_names = {}
         # Our parent account.
         self.parent = ""
-        # SAML Provider
+        # SAML Provider for hub-spoke
         self.saml_provider = ""
+        # Determine if this is a hub-spoke SAML config or a SAML Direct config
+        saml_hub_spoke = True
+        try:
+            if self.config['global']['saml_direct'] is True:
+                saml_hub_spoke = False
+        except Exception:
+            pass
         for account in self.config['accounts']:
             account_id = str(self.config['accounts'][account]['id'])
             # Append to our array of account IDS:
@@ -63,19 +70,21 @@ def __init__(self, config_file):
                     Export=Export(Sub("${AWS::StackName}-" + "TemplateBuild"))
                 )
             ])
-            if "parent" in self.config['accounts'][account]:
-                if self.config['accounts'][account]['parent'] is True:
-                    self.parent_account = account
-                    self.parent_account_id = account_id
-                    if "saml_provider" in self.config['accounts'][account]:
-                        self.saml_provider = \
-                            self.config['accounts'][account]["saml_provider"]
-        if self.parent_account == "":
-            raise Exception(
-                "No account is marked as parent in the configuration file. "
-                "One account should have parent: true"
-            )
-
+            if saml_hub_spoke is True:
+                if "parent" in self.config['accounts'][account]:
+                    if self.config['accounts'][account]['parent'] is True:
+                        self.parent_account = account
+                        self.parent_account_id = account_id
+                        if "saml_provider" in self.config['accounts'][account]:
+                            self.saml_provider = \
+                                self.config['accounts'][account]["saml_provider"]
+        if saml_hub_spoke is True:
+            if self.parent_account == "":
+                raise Exception(
+                    "No account is marked as parent in the configuration file. "
+                    "One account should have parent: true"
+                )
+                
     # Converts between friendly names and ids for accounts.
     def map_account(self, account):
         # If our account is numeric
diff --git a/sample_configs/config-saml_direct.yaml b/sample_configs/config-saml_direct.yaml
@@ -0,0 +1,39 @@
+global:
+  names:
+    policies: False
+    roles: True
+    users: True
+    groups: True
+  template_outputs: enabled
+  saml_direct: True 
+
+accounts:
+  payer:
+    id: 727974079150
+    saml_provider: OktaIDP
+  dev01:
+    id: 755535531790
+    saml_provider: OktaIDP
+
+roles:
+  OpsStandard:
+    trusts:
+      - OktaIDP
+    managed_policies:
+      - arn:aws:iam::aws:policy/ReadOnlyAccess
+    in_accounts:
+      - all
+  OpsAdmin:
+    trusts:
+      - OktaIDP
+    managed_policies:
+      - arn:aws:iam::aws:policy/AdministratorAccess
+    in_accounts:
+      - dev01
+  OpsOrgAdmin:
+    trusts:
+      - OktaIDP
+    managed_policies:
+      - arn:aws:iam::aws:policy/AdministratorAccess
+    in_accounts:
+      - payer
