Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can AWS CLI be used with a federated login?

Tags:

amazon-web-services

aws-cli

federated-identity

I login to AWS with my Active Directory account in my company. We are using federated login, as described here:

Federated Users and Roles

Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).

My company has a Security Token Service (STS) which is a SAML provider.

I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?

like image 200
sashoalm Avatar asked Sep 11 '17 13:09

sashoalm

People also ask

Can you use AWS CLI without access key?

However, if you would like to configure the AWS cli without using the Access/Secret Keys. Follow the below steps. Open the IAM console at https://console.aws.amazon.com/iam/. In the navigation pane, choose Roles, Create role.

What is federated login in AWS?

Identity federation in AWS Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.

Can you use a username and password to authenticate in AWS CLI?

Key point: to authenticate to AWS on the command-line, you do NOT use the username and password from the AWS Console. Instead, for most of the CLI authentication mechanisms we'll discuss in this blog post series, you will need a pair of Access Keys: The Access Key ID, which looks like this: AKIAIOSFODNN7EXAMPLE .

2 Answers

saml2aws can be used for AWS CLI for the federated user.

Refer https://github.com/Versent/saml2aws this is based on python code from https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

You can use the below command to login to default IDP AWS account, your organization will provide you the IDP account name.

saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD

For using the federated user for automation, you need to use exec

saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD exec command
like image 184
Mahattam Avatar answered Oct 14 '22 07:10

Mahattam

Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

like image 23
Dunedan Avatar answered Oct 14 '22 07:10

Dunedan
Sign in to Comment

Related questions

Bucket policy that respects pre-signed URLs OR IP Address deny?
Amazon Cloud Watch Log - PutLogEventsRequest - The given sequenceToken is invalid
AWS RDS out of memory error when adding column
AWS Cloud Watch: Metric Filter Value Extraction
Can't set SSH in AWS EB CLI [closed]
AWS.DynamoDB.DocumentClient is not providing data on put
How to change storage class of existing key via boto3
How do I get an exit code from an Amazon ECS Task?
Export data from Amazon Redshift as JSON
How do I convert XML to JSON AWS API Gateway?
How to connect Superset with AWS athena?
The AWS Access Key Id you provided does not exist in our records
can a AWS S3 bucket have more than one policy attached to it?
Is there a way to use the CLI to configure an Alexa skill?
AWS Rekognition JavaScript SDK using Bytes
AWS Lambda C# - Accessing custom context
SerDe properties list for AWS Athena (JSON)
AWS API gateway return XML
Howto add Azure AD as AWS Cognito Federated IdP
What does Outbound traffic mean for an AWS Security Group assigned to an AWS RDS instance?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!