How to use SAML2AWS to log into AWS through Single Sign-On (SSO) via AWS CLI

To know how to enable Single Sign-On for your AWS Account read my other blog post here: Essential Guide to AWS Governance – Part 2: Enable Single Sign-On for AWS using ADFS 3.0 and configure Cross Account Access

Now that you have enabled SSO for your AWS Account, you need an easy way to:

  • Log into your AWS Account via SSO (Single Sign-On) using AWS CLI
  • Assume a role in a different AWS Account (Cross Account Access) using AWS CLI

So here are the step:

Install Chocolatey

First things first, you will need a tool called SAML2AWS. But to get it you will need to install Chocolatey packet manager. Don’t be afraid. Read this guide here to learn how to install it. It is super easy.

Install SAML2AWS

Now open a command prompt with Administrative privilege and run the following command:

choco install saml2aws

Configure SAML2AWS

In a Windows command prompt with Administrative privilege, run the following commands:

saml2aws configure

then type 0 and press Enter:

then select 0 again if you don’t have MFA enabled:

then enter your ADFS login page. Please take note it is going to be in the following format:

https://<Server Name>/adfs/ls/idpinitiatedsignon.aspx

and not in this format:

https://<Server Name>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=urn:amazon:webservices

and then enter your username that you use to log into ADFS:

Login via SAML2AWS

Now it is time to log in:

SAML2AWS login

Enter your username and password:

Now select the role which you want to assume (for better understanding of roles visit my other post)

Now you are successfully authenticated and your AWS CLI credentials file (most probably located in C:\Users\YourUsername\.aws) contains the token:

Now all you need to do is to open your config file (most probably located in C:\Users\YourUsername\.aws) and add the following lines:

[profile profileName]
role_arn = arn:aws:iam::111111111111:role/roleName
source_profile = saml

  • You need to change profileName to any name.
  • Make sure the word “saml” stays the same because it is referring to your default profile in the credentials file.
  • Change the roleName and the AWS Account where the role is located in.

Now all is set. Run any AWS CLI command and just make sure your profile name is specified in the command. Here is an example:

It is needless to say that your AWS PowerShell Cmdlet is also now authorized to run commands against the Account.

2 thoughts on “How to use SAML2AWS to log into AWS through Single Sign-On (SSO) via AWS CLI

  1. Thanks for the detailed steps. Our Federated login page, once logs in provides a drop down to show list of all sites integrated and then we select the aws link. I get this when i follow your steps.
    After step – SAML2AWS login and click enter

    Response did not contain a valid SAML assertion
    Please check your username and password is correct

Leave a Reply

Your email address will not be published. Required fields are marked *