# Quick test for https://stackoverflow.com/questions/49163883/sign-in-page-for-a

1. # Quick test for https://stackoverflow.com/questions/49163883/sign-in-page-for-aws-federated-login/49212472#49212472
2. # Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
3. # python3 run.py
4.  
5. import os
6. import urllib.parse,json
7. import requests # 'pip install requests'
8. from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'
9. from flask import Flask,redirect # pip install flask
10. app = Flask(__name__)
11.  
12. @app.route('/')
13. def hello_world():
14.     # Step 1: Authenticate user in your own identity system.
15.  
16.     # Step 2: Using the access keys for an IAM user in your AWS account,
17.     # call "AssumeRole" to get temporary access keys for the federated user
18.  
19.     # Note: Calls to AWS STS AssumeRole must be signed using the access key ID
20.     # and secret access key of an IAM user or using existing temporary credentials.
21.     # The credentials can be in EC2 instance metadata, in environment variables,
22.     # or in a configuration file, and will be discovered automatically by the
23.     # STSConnection() function. For more information, see the Python SDK docs:
24.     # http://boto.readthedocs.org/en/latest/boto_config_tut.html
25.     sts_connection = STSConnection(aws_access_key_id='1234567890', aws_secret_access_key='0987654321')
26.  
27.     assumed_role_object = sts_connection.assume_role(
28.         role_arn="arn:aws:iam::197306934454:role/Cognito_WCD_studentsAuth_Role",
29.         role_session_name="AssumeRoleSession"
30.     )
31.  
32.     # Step 3: Format resulting temporary credentials into JSON
33.     json_string_with_temp_credentials = '{'
34.     json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
35.     json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
36.     json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
37.     json_string_with_temp_credentials += '}'
38.  
39.     # Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
40.     # the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
41.     # as parameters.
42.     request_parameters = "?Action=getSigninToken"
43.     request_parameters += "&SessionDuration=43200"
44.     request_parameters += "&Session=" + urllib.parse.quote(json_string_with_temp_credentials)
45.     request_url = "https://signin.aws.amazon.com/federation" + request_parameters
46.     r = requests.get(request_url)
47.     # Returns a JSON document with a single element named SigninToken.
48.     signin_token = json.loads(r.text)
49.  
50.     # Step 5: Create URL where users can use the sign-in token to sign in to
51.     # the console. This URL must be used within 15 minutes after the
52.     # sign-in token was issued.
53.     request_parameters = "?Action=login"
54.     request_parameters += "&Issuer=Example.org"
55.     request_parameters += "&Destination=" + urllib.parse.quote("https://console.aws.amazon.com/")
56.     request_parameters += "&SigninToken=" + signin_token["SigninToken"]
57.     request_url = "https://signin.aws.amazon.com/federation" + request_parameters
58.  
59.     # Redirect URL
60.     return redirect(request_url, code=302)
61.  
62.  
63. if __name__ == '__main__':
64.     app.run(host=os.getenv('IP', '0.0.0.0'),
65.             port=int(os.getenv('PORT', 8080)))