Can AWS CLI be used with a federated login?

22.9k views Asked by At

I login to AWS with my Active Directory account in my company. We are using federated login, as described here:

Federated Users and Roles

Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).

My company has a Security Token Service (STS) which is a SAML provider.

I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?

4

There are 4 answers

1
Dunedan On BEST ANSWER

Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

2
Phani On

Here are sample steps to configure for federated users.

$ aws configure sso    
SSO session name (Recommended): my-sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access

Source: Configure automatic token refresh

0
Kiruthika kanagarajan On

you can create your AWS Accesskey, Secret key & token for the federated users using AssumeRoleWithSAML-cli

AWS CLI Example that will provide you an credentials for federated user:

aws sts assume-role-with-saml --role-arn arn:aws:iam::AccountNumber:role/ADFS-AWS-ADMIN --principal-arn arn:aws:iam::AccountNumber:saml-provider/idp001 --saml-assertion SAMLResponsePHNhbWxwOlJlc3BvbnNlIElEPSJfMTE2MDVkYzYtYWNjOS00NGFkLTgzM2QtZjdhMWM4NTVhMmJmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMy0wMy0wNlQxNjoxNDowMi4wNjdaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmSAMLResponseFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9FQzJBTUFaLU1IMUYzQ0Quc3NvLmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhSAMLResponsedHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPjwvc2FtbHA6U3RhdHVzPjxBc3NlcnRpb24gSUQ9Il9iYjJiOTg4My1hMmI3LTQ0YWUtOTc0NS1hNzZjMmQ0MjA1ZTQiIElzc3VlSW5zdGFudD0iMjAyMy0wMy0wNlQxNjoxNDowMi4wNjdaIoiBWZXJzaW9uPSIyLjAiIHhtbG5zPSJ1cm46b2FzaXM6kbmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48SXNzdWVyPmh0dHA6Ly9FQzJBTUFaLU1IMUYzQ0Quc3NvLmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0PC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbSAMLResponsem9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPLSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfYmIyYjk4ODMtYTJiNy00NGFlLTk3NDUtYTc2YzJkNDIwNWU0Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRpobT0iaHR0cDLovL3d3dy53My5vcmcvMjAiwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIgLz48ZHM6RGlnZXN0VmFsdWU+cWllODFibUdjQlFmbXlhQlppZjJRY2tIdVQwQ1lGKzJIamZ2OTVSUkYrWT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVm

1
Mahattam On

saml2aws can be used for AWS CLI for the federated user.

Refer https://github.com/Versent/saml2aws this is based on python code from https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

You can use the below command to login to default IDP AWS account, your organization will provide you the IDP account name.

saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD

For using the federated user for automation, you need to use exec

saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD exec command