def saml_enum_account_aliases(auth_response: AuthnResponse) -> Dict[str, str]: """ Return the mapping between AWS Account IDs and their aliases. """ return dict( pair.split(",") for pair in auth_response.get_identity() ["https://github.com/eliezio/sari/AccountAlias"])
def saml_enum_aws_roles( auth_response: AuthnResponse) -> Dict[str, Tuple[str, str]]: """ Return the Role/Principal pairs defined stored as a pair of attributes in the SAML assertion. :return: a dictionary that maps an AWS account to a pair RoleARN/PrincipalARN. """ def group_by_account(role_arn, provider_arn) -> Tuple[str, Tuple[str, str]]: acc1 = get_aws_account_from_arn(role_arn) acc2 = get_aws_account_from_arn(provider_arn) if acc1 != acc2: raise ValueError(f"Account mismatch: ${acc1} != ${acc2}") return acc1, (role_arn, provider_arn) # See # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute return dict([ group_by_account(*pair.split(",")) for pair in auth_response.get_identity() ["https://aws.amazon.com/SAML/Attributes/Role"] ])