How different Assumers work in Granted
Overview
There are multiple ways to set up your AWS config file for authentication and access credentials.
Granted which is powered by Go under the hood uses an “Assumer” interface abstraction which can be customized for specific config profiles as per the requirement.
The Assumer Interface is implemented as:
Any struct that implements these four methods and returns AWS credentials is a valid Assumer.
Different Assumers
Currently, Granted implements 5 different types of Assumer.
AWS IAM Assumer
IAM Assumer is for IAM-specific credentials in AWS SHARED CREDENTIALS file or any IAM credentials that are imported to secure storage via the granted credentials
command.
This assumer also handles cases for using IAM roles. In this case, the AssumeTerminal method will use the source profile’s credentials to call AWS Security Token Service (AWS STS) and request temporary credentials for the specified role. The returned credentials will be cached and stored in secured storage via Granted.
AWS IAM SSO Assumer
IAM SSO Assumer is for authenticating users with AWS IAM Identity Center (successor to AWS Single Sign-On). Here, we complete a device code flow to retrieve an SSO token which is used to retrieve STS short-term credentials for a given role name that is assigned to the user. The returned credentials will be cached and stored in secured storage via Granted.
AWS Credential Process Assumer
AWS supports a way to source credentials via an external process. For example:
This Assumer will retrieve the AWS credentials by executing the credential process command.
AWS Google Auth Assumer
AWS Google Auth Assumer is used for acquiring AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) provider. This Assumer simply wraps aws-google-auth tool to fetch the AWS credentials.
AWS Azure Assumer
AWS Azure Assumer is used for acquiring AWS temporary (STS) credentials using Azure Active Directory to provide SSO login to the AWS. This Assumer simply wraps aws-azure-login tool to fetch the AWS credentials.
Don’t see an Assumer for your requirement? You can contribute to our OSS project or let us know via our community Slack or Github issue tracker.