To know how to enable Single Sign-On for your AWS Account read my other blog post here: Essential Guide to AWS Governance – Part 2: Enable Single Sign-On for AWS using ADFS 3.0 and configure Cross Account Access
Now that you have enabled SSO for your AWS Account, you need an easy way to:
- Log into your AWS Account via SSO (Single Sign-On) using AWS CLI
- Assume a role in a different AWS Account (Cross Account Access) using AWS CLI
So here are the step:
Install Chocolatey
First things first, you will need a tool called SAML2AWS. But to get it you will need to install Chocolatey packet manager. Don’t be afraid. Read this guide here to learn how to install it. It is super easy.
Install SAML2AWS
Now open a command prompt with Administrative privilege and run the following command:
choco install saml2aws
Configure SAML2AWS
In a Windows command prompt with Administrative privilege, run the following commands:
saml2aws configure
then type 0 and press Enter:
then select 0 again if you don’t have MFA enabled:
then enter your ADFS login page. Please take note it is going to be in the following format:
https://<Server Name>/adfs/ls/idpinitiatedsignon.aspx
and not in this format:
https://<Server Name>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=urn:amazon:webservices
and then enter your username that you use to log into ADFS:
Login via SAML2AWS
Now it is time to log in:
SAML2AWS login
Enter your username and password:
Now select the role which you want to assume (for better understanding of roles visit my other post)
Now you are successfully authenticated and your AWS CLI credentials file (most probably located in C:\Users\YourUsername\.aws) contains the token:
Now all you need to do is to open your config file (most probably located in C:\Users\YourUsername\.aws) and add the following lines:
[profile profileName]
role_arn = arn:aws:iam::111111111111:role/roleName
source_profile = saml
- You need to change profileName to any name.
- Make sure the word “saml” stays the same because it is referring to your default profile in the credentials file.
- Change the roleName and the AWS Account where the role is located in.
Now all is set. Run any AWS CLI command and just make sure your profile name is specified in the command. Here is an example:
It is needless to say that your AWS PowerShell Cmdlet is also now authorized to run commands against the Account.
Thanks for the detailed steps. Our Federated login page, once logs in provides a drop down to show list of all sites integrated and then we select the aws link. I get this when i follow your steps.
After step – SAML2AWS login and click enter
Response did not contain a valid SAML assertion
Please check your username and password is correct
Sometimes I have seen the same issue happening when I am behind a corporate proxy. Can you test the same when you are not behind a proxy and see if you get the same error?