website/integrations: aws: Improve Classic IAM guide

[dominic-r]

Needs revamping. just a few notes to myself

So.

we need "SAML Provider Property Mapping":

• https://aws.amazon.com/SAML/Attributes/Role : return "arn:aws:iam::ACCID:role/authentik-admin,arn:aws:iam::ACCID:saml-provider/authentik" authentik-admin is one of the roles on my aws account, others are truncated for this example. saml-provider/authentik is the name set in aws. We can keep this from original guide: For role assignment based on group membership: and For multiple role choices:
• https://aws.amazon.com/SAML/Attributes/RoleSessionName: return user.username (This is how it's gonna show in aws) so for example, when I log in it shows: authentik-admin/my-name

now configure the app/provider:

• acs: https://signin.aws.amazon.com/saml
• issuer AND audience authentikurn:amazon:webservices
• SP binding: post
• set signing certificate w/ the sign assertions and responses on
• add those 2 property mappings

now download metadata

aws:

• iam -> identity providers > "Add provider"
• Provider type: SAML
• Provider name: authentik
• Metadata document: "Choose file"
• click "Add provider"
• youre back to the idp home page

we dont need to edit authentik cause for classic theres one acs url only. which acc and role you land in depends entirely by the saml assertion

• still in iam, under "Access management" > "Roles" > "Create role" > Click "SAML 2.0 Federation" from the boxes of avail options

• under "SAML 2.0–based provider", set "authentik"

• select dpeending on your needs:

• Access to be allowed
  Allow programmatic access only
  Allow programmatic and AWS Management Console access

this one too:
Sign-in endpoint type
Info
The Region and URL to which SAML assertions are presented for sign-in. We recommend multiple Regional SAML sign-in endpoints to improve federation resiliency.
Regional endpoint
Region-specific sign-in URLs.
Non-Regional endpoint
Non-Regional sign-in URLs.

Click "Next"

Select one or more policies
Set "Role name" to the one in the property mapping f.e. authentik-admin, authentik-read-only, whatever but it must match.

policy should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithSAML",
            "Principal": {
                "Federated": "arn:aws:iam::123:saml-provider/authentik"
            },
            "Condition": {
                "StringEquals": {
                    "SAML:aud": [
                        "https://signin.aws.amazon.com/saml/acs/AAAAAA" <---- we need to edit this
                    ]
                }
            }
        }
    ]
}

and set it to https://signin.aws.amazon.com/saml remember, one url for everyone. no ids
click "Create role"

idp initated sso so go to authentik, click AWS, hopefully, you should be in authentik now, and to confirm like at start, check top right:

[BeryJu]

@dominic-r I think it would make sense to have the guide either do AWS roles based on groups or maybe even use entitlements to assign the roles (we generally need to document this more, wherever we can pass permissions to the application)

[dominic-r]

Yea, that's a good idea. If we do it role based, we could probably do it similar to digitalocean. As for entitlements, I'd have to look into how that works. Which would prefer or recommend?

[dominic-r]

I'm thinking something like:

ACCOUNT_ID = "AAA"
PROVIDER_NAME = "authentik" 
PREFIX = "AWS:"

# collect the user's groups
group_names = list(user.ak_groups.values_list("name", flat=True))

# filter for groups starting with the prefix
roles = [
    g[len(PREFIX):].strip()
    for g in group_names
    if g and g.casefold().startswith(PREFIX.casefold())
]

# build entries. AWS expects a list of strings in this format where each line contains the role, then the provider name:
return [
    f"arn:aws:iam::{ACCOUNT_ID}:role/{r},arn:aws:iam::{ACCOUNT_ID}:saml-provider/{PROVIDER_NAME}"
    for r in roles
]