How can I use the AWS CLI to call and store SAML credentials?

Last updated: 2010-05-06

I want to test SAML 2.0 federation and commands using the AWS Command Line Interface (AWS CLI) for testing purposes and to verify API calls. How can I do this?

Short Description

Before you begin, confirm that you configured the following:

  • An instance with the AWS CLI installed, or have the AWS CLI installed on your local system.
  • A SAML federation server.
  • Role Amazon Resource Name (ARN), identify provider (IdP) ARN, and SAML response.  


Follow these instructions to call the API, save the output to a text file, and then use it to call an API command with the AWS CLI.

Note: You must have the SAML response from your IdP. This example uses AD FS 2.0, which doesn't have an API call set up to get a response.

Get the SAML Response from developer tools

1.    Follow the instructions for How to View a SAML Response in Your Browser for Troubleshooting.

2.    Scroll to the logs and open the SAML log file.

3.    Copy the entire SAML response.

Run this command with AWS CLI on your instance to save the credentials

1.    Paste the SAML response at the end of this command, and run it to call the STS token:

Note: This example uses awk which is compatible with Linux based distributions.  

aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNTNUMBER:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNTNUMBER:saml-provider/SAML_PROVIDER --saml-assertion file://samlresponse.log

awk -F:  '
                BEGIN { RS = "[,{}]" ; print "[PROFILENAME]"}
                /:/{ gsub(/"/, "", $2) }
                /AccessKeyId/{ print "aws_access_key_id = " $2 }
                /SecretAccessKey/{ print "aws_secret_access_key = " $2 }
                /SessionToken/{ print "aws_session_token = " $2 }
' >> ~/.aws/credentials

This saves the credentials in a profile inside the ~/.aws/credentials file. To make a backup, use this command:

cp -a ~/.aws/credentials ~/.aws/credentials.bak.

Tip: Make sure that you have a matching profile in ~/.aws/config with the output and Region set, so that you are not repeatedly prompted to enter it.

Use saved credentials to run an AWS CLI command for testing

Now that you have the credentials saved, you'll call it using the --profile parameter on your AWS CLI calls. For example:  

aws ec2 describe-instances --profile PROFILENAME

Example outputs:

assume-role-with-saml output without piping to a file:

    "SubjectType": "persistent",
    "AssumedRoleUser": {
       "AssumedRoleId": "",
       "Arn": "arn:aws:sts::ACCOUNTNUMBER:assumed-role/ROLE_ID/"
    "Audience": "",
    "NameQualifier": "RANDOM_GENERATED_STRING",
    "Credentials": {
       "SecretAccessKey": "SECRET_ACCESS_KEY",
       "SessionToken": "TOKEN_KEY",
       "Expiration": "2015-05-11T20:00:49Z",
       "AccessKeyId": "ACCESS_KEY_ID"
"Subject": "CORP\\\\EXAMPLE",
"Issuer": ""

assume-role-with-saml output piped to the credentials file:

aws_access_key_id =  ACCESS_KEY_ID
aws_session_token =  SESSION_TOKEN
aws_secret_access_key =  SECRET_ACCESS_KEY