Aws::Google

Use Google OAuth as an AWS Credential Provider.

Installation

Add this line to your application's Gemfile:

gem 'aws-google'

And then execute:

$ bundle

Or install it yourself as:

$ gem install aws-google

Usage

• Visit the Google API Console to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
• Create an AWS IAM Role with the desired IAM policies attached, and a 'trust policy' (AssumeRolePolicyDocument) allowing the sts:AssumeRoleWithWebIdentity action with Web Identity Federation condition keys authorizing your Google Client ID (accounts.google.com:aud) and a specific set of Google Account IDs (accounts.google.com:sub):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
          "accounts.google.com:sub": [
            "000000000000000000000",
            "111111111111111111111"
          ]
        }
      }
    }
  ]
}

• In your Ruby code, construct an Aws::Google object by passing in the AWS role, client id and client secret: ```ruby require 'aws/google'

aws_role = 'arn:aws:iam::[AccountID]:role/[Role]' client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com' client_secret = '01234567890abcdefghijklmn'

role_credentials = Aws::Google.new( role_arn: aws_role, google_client_id: client_id, google_client_secret: client_secret )

puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity

- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:

```ini
[my_profile]
google =
    role_arn = arn:aws:iam::[AccountID]:role/[Role]
    client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
    client_secret = 01234567890abcdefghijklmn
credential_process = aws-google

The extra credential_process config line tells AWS to Source Credentials with an External Process, in this case the aws-google script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/code-dot-org/aws-google.

License

The gem is available as open source under the terms of the Apache 2.0 License.