AWS Official Blog

Identity Federation to the AWS Management Console

by Jeff Barr | on | in AWS IAM, AWS Management Console, Identity and Access Management | | Comments

In August, we announced that AWS Identity and Access Management (IAM) added support for Identity Federation. This enabled customers to use their existing identities (e.g. users) to securely access AWS APIs and resources using IAM’s fine-grained access controls, without the need to create an IAM user for each identity.

Today we are announcing that we have extended IAMs Identity Federation functionality to also enable federated users to access the AWS Management Console. This allows you to enable your employees to sign in once to your corporate directory, and then use the AWS Management Console without having to sign in to AWS, providing single sign-on access to AWS.

In my previous post on the topic of Identity Federation, I discussed how you could setup an identity broker, which calls our Security Token Service (STS), requesting temporary security credentials to provide your users access to AWS. You explicitly specify the permissions that these temporary credentials give your users, as well as control the amount of time (1 to 36 hours) these credentials are valid for. Well, these same temporary security credentials can now also be used to access the AWS Management Console.

Here’s the basic flow:

User signs in to the enterprise network with their enterprise credentials.
User browses to an internal site and clicks on Sign in to AWS Management Console.

Page calls identity broker. Identity broker validates access rights and provides temporary security credentials which includes the user’s permissions to access AWS. The page includes these temporary security credentials as part of the sign-in request to AWS.

User is logged in to the AWS Management Console with the appropriate IAM policy.

If you have already built an identity broker, perhaps using our sample application, to enable Identity Federation to AWS service APIs for users in your enterprise directory, youre already most of the way there. All you need to do is implement an internal web page with redirect links to the AWS Management Console, and include the temporary security credentials as part of the sign in request. Below is some simple Ruby code sample that shows how to do just that (just replace the highlighed items with your own identifiers and URLs):

  1. require ‘rubygems’
  2. require ‘json’
  3. require ‘open-uri’
  4. require ‘cgi’
  5. require ‘aws-sdk’
  7. # The temporary credentials will normally come from your identity
  8. # broker, but for simplicity we create them in place
  9. sts = AWS::STS. new ( :access_key_id => “*** Your AWS Access Key ID ***”,
  10.   :secret_access_key => “*** Your AWS Secret Access Key ***” )
  12. # A sample policy for accessing SNS in the console.
  13. policy = AWS::STS::Policy. new
  14. policy. allow ( :actions => “sns:*”,:resources => :any )
  16. session = sts. new_federated_session (
  17.   “UserName”,
  18.   :policy => policy,
  19.   :duration => 3600 )
  22. # The issuer parameter specifies your internal sign-in
  23. # page, for example
  24. # The console parameter specifies the URL to the destination tab of the
  25. # AWS Management Console. This example goes to the sns console.
  26. # The signin parameter is the URL to send the request to.
  27. issuer_url = “”
  28. console_url = “”
  29. signin_url = “”
  31. # Create the signin token using temporary credentials,
  32. # including the Access Key ID, Secret Access Key, and security token.
  34. session_json = {
  35.   :sessionId => session. credentials [ :access_key_id ],
  36.   :sessionKey => session. credentials [ :secret_access_key ],
  37.   :sessionToken => session. credentials [ :session_token ]
  38. }. to_json
  40. get_signin_token_url = signin_url + “?Action=getSigninToken&SessionType=json&Session=” + CGI. escape (session_json )
  41. returned_content = URI. parse (get_signin_token_url ). read
  42. signin_token = JSON. parse (returned_content ) [ ‘SigninToken’ ]
  43. signin_token_param = “&SigninToken=” + CGI. escape (signin_token )
  45. # The issuer parameter is optional, but recommended. Use it to direct users
  46. # to your sign-in page when their session expires.
  47. issuer_param = “&Issuer=” + CGI. escape (issuer_url )
  48. destination_param = “&Destination=” + CGI. escape (console_url )
  50. login_url = signin_url + “?Action=login” + signin_token_param + issuer_param + destination_param

You can control the user name displayed in the upper right corner of the AWS Management Console when your user logs in. You can also optionally provide an “Issuer” URL when signing your users in. This URL will then be displayed to the user when their credentials expire, so they can re-authenticate with your identity system before continuing to use the AWS Console.

The following services support Identity Federation to the AWS Management Console today: Amazon EC2, Amazon S3, Amazon SNS, Amazon SQS, Amazon VPC, Amazon CloudFront, Amazon Route 53, Amazon CloudWatch, Amazon RDS, Amazon ElastiCache, Amazon SES, Elastic Load Balancing, and IAM. We’ll of course be adding support for additional service consoles over time (the busy Amazon DynamoDB team is already working on it!).

— Jeff;