generated from ministryofjustice/cloud-platform-terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 2
/
add-github-teams-to-aws-saml.js
35 lines (29 loc) · 1.2 KB
/
add-github-teams-to-aws-saml.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
exports.onExecutePostLogin = async (event, api) => {
if (event.connection.name === "github") {
const samlProvider = event.secrets.AWS_SAML_PROVIDER_NAME;
const awsAccount = event.secrets.AWS_ACCOUNT_ID;
const rolePrefix = "arn:aws:iam::" + awsAccount;
const role = "access-via-github";
const samlIdP = rolePrefix + ":saml-provider/" + samlProvider;
const git_teams = event.user.user_metadata["gh_teams"].map((t) =>
t.replace("github:", ""),
);
const filteredTeams = git_teams.filter((t) => t != "all-org-members");
api.user.GithubTeam = ":" + filteredTeams.join(":") + ":";
api.user.awsRoleSession = event.user.nickname;
api.user.awsTagKeys = ["GithubTeam"];
api.user.awsRole = rolePrefix + ":role/" + role + "," + samlIdP;
api.samlResponse.setAttribute(
"https://aws.amazon.com/SAML/Attributes/Role",
rolePrefix + ":role/" + role + "," + samlIdP,
);
api.samlResponse.setAttribute(
"https://aws.amazon.com/SAML/Attributes/RoleSessionName",
event.user.nickname,
);
api.samlResponse.setAttribute(
"https://aws.amazon.com/SAML/Attributes/PrincipalTag:GithubTeam",
":" + filteredTeams.join(":") + ":",
);
}
};