Aws::Google
Use Google OAuth as an AWS Credential Provider.
Installation
Add this line to your application's Gemfile
:
gem 'aws-google'
And then execute:
$ bundle
Or install it yourself as:
$ gem install aws-google
Usage
- Visit the Google API Console to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust policy' (
AssumeRolePolicyDocument
) allowing thests:AssumeRoleWithWebIdentity
action with Web Identity Federation condition keys authorizing your Google Client ID (accounts.google.com:aud
) and a specific set of Google Account IDs (accounts.google.com:sub
):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
"accounts.google.com:sub": [
"000000000000000000000",
"111111111111111111111"
]
}
}
}
]
}
- In your Ruby code, construct an
Aws::Google
object by passing in the AWS role, client id and client secret: ```ruby require 'aws/google'
aws_role = 'arn:aws:iam::[AccountID]:role/[Role]' client_id = '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com' client_secret = '01234567890abcdefghijklmn'
role_credentials = Aws::Google.new( role_arn: aws_role, google_client_id: client_id, google_client_secret: client_secret )
puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:
```ini
[my_profile]
google =
role_arn = arn:aws:iam::[AccountID]:role/[Role]
client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
client_secret = 01234567890abcdefghijklmn
credential_process = aws-google
The extra credential_process
config line tells AWS to Source Credentials with an External Process, in this case the aws-google
script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run rake test
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/code-dot-org/aws-google.
License
The gem is available as open source under the terms of the Apache 2.0 License.