Online

I've been using GSTS for a while now, and it's been a game-changer. It lets you use Google Workspace as a credential provider for your AWS CLI, using browser automation for authentication. If you're in an organization where you need to manage multiple AWS accounts, Google Workspace SAML federation for login credentials validation is super handy. Here's how to get started:

First, install GSTS:

npm install --global gsts

Then, add this credential_process to your ~/.aws/config and you're good to go:

[default]
credential_process = gsts --idp-id=<your_idp_id> --sp-id=<your_sp_id> --aws-role-arn=arn:aws:iam::111111112222222:role/role-name

The issue

When I first set this up and tried to login, I found out that GSTS uses MS Playwright to open a browser and handle the authentication. I got an error that looked something like this:

Error when retrieving credentials from custom-process: [...] ERROR gsts: browserType.launchPersistentContext: Executable doesn't exist at [...]/Caches/ms-playwright/chromium-1105/chrome-mac/Chromium.app/Contents/MacOS/Chromium
╔═════════════════════════════════════════════════════════════════════════╗
║ Looks like Playwright Test or Playwright was just installed or updated. ║
║ Please run the following command to download new browsers:              ║
║                                                                         ║
║     npx playwright install                                              ║
║                                                                         ║
║ <3 Playwright Team                                                      ║
╚═════════════════════════════════════════════════════════════════════════╝

The solution

I already had Puppeteer installed for some automation processes, and I prefer working with that instead of installing Playwright just for this one thing. Turns out, you can add --playwright-engine-executable-path /opt/homebrew/bin/chromium to the end of the credential command:

[profile sts]
credential_process = gsts --idp-id=<your_idp_id> --sp-id=<your_sp_id> --aws-role-arn=arn:aws:iam::111111112222222:role/role-name  --playwright-engine-executable-path /opt/homebrew/bin/chromium

This way, you can use your existing Chromium installation and avoid setting up Playwright separately.

TL;DR

GSTS simplifies using Google Workspace as a credential provider for AWS CLI, especially when managing multiple AWS accounts. Installation is straightforward, but you might encounter a hiccup with Playwright during the first-time setup. A quick fix is to use Puppeteer if you have it already installed, saving you the hassle of setting up another browser automation tool.