I login to AWS with my Active Directory account in my company. We are using federated login, as described here:
Federated Users and Roles
Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).
My company has a Security Token Service (STS) which is a SAML provider.
I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?
However, if you would like to configure the AWS cli without using the Access/Secret Keys. Follow the below steps. Open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane, choose Roles, Create role.
Identity federation in AWS Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.
Key point: to authenticate to AWS on the command-line, you do NOT use the username and password from the AWS Console. Instead, for most of the CLI authentication mechanisms we'll discuss in this blog post series, you will need a pair of Access Keys: The Access Key ID, which looks like this: AKIAIOSFODNN7EXAMPLE .
saml2aws can be used for AWS CLI for the federated user.
Refer https://github.com/Versent/saml2aws this is based on python code from https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
You can use the below command to login to default IDP AWS account, your organization will provide you the IDP account name.
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD
For using the federated user for automation, you need to use exec
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD exec command
Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With