To know how to enable Single Sign-On for your AWS Account read my other blog post here: Essential Guide to AWS Governance – Part 2: Enable Single Sign-On for AWS using ADFS 3.0 and configure Cross Account Access
Now that you have enabled SSO for your AWS Account, you need an easy way to:
- Log into your AWS Account via SSO (Single Sign-On) using AWS CLI
- Assume a role in a different AWS Account (Cross Account Access) using AWS CLI
So here are the step:
First things first, you will need a tool called SAML2AWS. But to get it you will need to install Chocolatey packet manager. Don’t be afraid. Read this guide here to learn how to install it. It is super easy.
Now open a command prompt with Administrative privilege and run the following command:
choco install saml2aws
In a Windows command prompt with Administrative privilege, run the following commands:
then type 0 and press Enter:
then select 0 again if you don’t have MFA enabled:
then enter your ADFS login page. Please take note it is going to be in the following format:
and not in this format:
and then enter your username that you use to log into ADFS:
Login via SAML2AWS
Now it is time to log in:
Enter your username and password:
Now select the role which you want to assume (for better understanding of roles visit my other post)
Now you are successfully authenticated and your AWS CLI credentials file (most probably located in C:\Users\YourUsername\.aws) contains the token:
Now all you need to do is to open your config file (most probably located in C:\Users\YourUsername\.aws) and add the following lines:
role_arn = arn:aws:iam::111111111111:role/roleName
source_profile = saml
- You need to change profileName to any name.
- Make sure the word “saml” stays the same because it is referring to your default profile in the credentials file.
- Change the roleName and the AWS Account where the role is located in.
Now all is set. Run any AWS CLI command and just make sure your profile name is specified in the command. Here is an example:
It is needless to say that your AWS PowerShell Cmdlet is also now authorized to run commands against the Account.