Use Google OAuth as an AWS Credential Provider.
Add this line to your application's Gemfile:
gem 'aws-google'And then execute:
$ bundle
Or install it yourself as:
$ gem install aws-google
Visit the Google API Console to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
Create an AWS IAM Role with the desired IAM policies attached, and a 'trust policy' (AssumeRolePolicyDocument) allowing the sts:AssumeRoleWithWebIdentity action with Web Identity Federation condition keys authorizing
your Google Client ID (accounts.google.com:aud) and a specific set of Google Account IDs (accounts.google.com:sub):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
"accounts.google.com:sub": [
"000000000000000000000",
"111111111111111111111"
]
}
}
}
]
}In your Ruby code, construct an Aws::Google object by passing the AWS role_arn, Google client_id and client_secret, either as constructor arguments or via the Aws::Google.config global defaults:
require 'aws/google'
options = {
aws_role: 'arn:aws:iam::[AccountID]:role/[Role]',
client_id: '123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com',
client_secret: '01234567890abcdefghijklmn'
}
# Pass constructor arguments:
credentials = Aws::Google.new(options)
puts Aws::STS::Client.new(credentials: credentials).get_caller_identity
# Set global defaults:
Aws::Google.config = options
puts Aws::STS::Client.new.get_caller_identity- Or, add the properties to your AWS config profile (
~/.aws/config) to use Google as the AWS credential provider without any changes to your application code:
[my_profile]
google =
role_arn = arn:aws:iam::[AccountID]:role/[Role]
client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
client_secret = 01234567890abcdefghijklmn
credential_process = aws-googleThe extra credential_process config line tells AWS to Source Credentials with an External Process, in this case the aws-google executable script installed by this gem, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
Prerequisites:
- Ruby 3.0.5
You can have Ruby installed locally, or use Docker and mount this repository into a Ruby container. By using Docker you can avoid conflicts with differing Ruby versions or other installed gems. To run and 'bash' into a Ruby container, install Docker and run the following. See docker-compose.yml for details.
docker compose build
docker compose run ruby
With either option, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install.
To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/code-dot-org/aws-google.
The gem is available as open source under the terms of the Apache 2.0 License.