How to configure AWS single sign-on

AWS allows to integrate numerous Third-Party SAML Solution Providers to implement single sign-on.

If you implement this kind of authentication, when you start the BCD Controller container it will no longer be necessary to mount the boto file.

Indeed you will use ~/.aws directory instead.

Single Sign-On to AWS Using G Suite

In this step we will provide you an example using G Suite from Google.

First, set up a Single Sign-On to AWS using G Suite as described in AWS website.
In this previous documentation you have seen how to create an IAM role in your AWS account. It implies that for BCD usage you should have created the corresponding role with proper rights. To do so you just have to follow the How to configure Amazon Web Services (AWS) for BCD and in AWS Setup for BCD section replace the point 5 Create an IAM Group by a creation of the corresponding role attached to the IAM Policies created previously.

The BCD Controller already embeds aws-google-auth to manage the authentication.

You will need to know Google’s assigned Identity Provider ID (idp-id) and the ID assigned to the SAML service provider (sp-id).
idp-id can be found on Google Admin Security > Set up single sign-on (SSO) page in the SSO url provided. For instance: https://accounts.google.com/o/saml2/idp?idpid=123456789012
sp-id can be found into the URL of your browser when viewing Google Admin Apps > SAML Apps > Amazon Web Services page. For instance: #AppDetails:service=123456789012

After launching the BCD Controller you will have to authenticate yourself as below:

aws-google-auth will store the credentials into ~/.aws directory through the default AWS profile

If you want to use a different profile, you will have to export the variable accordingly: