https://developers.onelogin.com/api-docs/1/saml-assertions/generate-saml-assertion
I'm generating a SAML assertion to use with AWS assumerolewithSAML, to generate temporary access keys and have this working, but I'd prefer to not have to pass a password...
I understand passing the password is over https and reasonably secure, but was thinking about having a process to do this on a schedule so that people requiring an AWS access key could run a script to refresh their keys since AWS only allows max 1 hour lifetime of temporary credentials. I don't want this script to know/memorize user passwords etc.
Not sure if we could use some other method or even a salted password? Any other secure thoughts?
For the time being username/password is it, since this call effectively lets you impersonate a user.
A) Please complain to AWS - I think the one hour time limit is far to low and they allow for SAML assertions to ask for longer sessions of other types (just not access keys).
B) Consider building a web service with it's own (longer) session/token management. You could then cache and re-use the users' credentials to generate fresh tokens
Update AWS now allows for much longer-lived access tokens, and this should mitigate the issue.