I've configured access to the AWS Management Console for my Active Directory users using federation. How do I give users the same access for the AWS Command Line Interface (AWS CLI) using Active Directory Federation Services (AD FS)?

If you have Enabled SAML 2.0 Federated Users to Access the AWS Management Console, users who require programmatic access still require an access key and a secret key. To get the access key ID and secret access key for an IAM user, you can Configure the AWS CLI, or you can obtain temporary credentials for federated users to access the AWS CLI.

Before you can give access to a federated user, you must:

[default]
output = json
region = eu-west-1
aws_access_key_id =
aws_secret_access_key =

If your identity provider (IdP) is configured to work with Integrated Windows Authentication (IWA), NTLM, or Kerberos (which are the default for AD FS 2.0), see the following solutions:

    1. PowerShell for AD FS using IWA (PowerShell 2.0)

    2. Python for AD FS using IWA (default for AD FS 2.0)

If your IdP is configured to work with Form-Based Authentication (which is the default for AD FS 3.0 and 4.0), see the following solution:

    3. Python for AD FS using form-based authentication (default for AD FS 3.0 and 4.0)

Solution 1: PowerShell for AD FS using IWA (PowerShell 2.0)

1.    Import the Windows PowerShell module by running the following command:

> Import-Module "C:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1"

2.    Set a variable for your AD FS endpoint by running a command similar to the following:

> $Endpoint = 'https://adfs.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices'

Note: This includes the complete URL of your AD FS login page and the login uniform resource name (URN) for AWS.

3.    Set the SAML endpoint by running a command similar to the following:

> $EndpointName = Set-AWSSamlEndpoint -Endpoint "$Endpoint" -StoreAs 'ADFS-Login' -AuthenticationType NTLM

Note: By default, the AD FS 2.0 AuthenticationType is set to NTLM. If you do not specify a value for the AuthenticationType in the AWS Tools Cmdlet above, AWS Tools uses Kerberos by default.

4.    Use the stored endpoint settings to authenticate with the AD FS IdP to obtain a list of roles that the user can assume using one of the following methods:

Use the credentials of the user who is currently logged into the workstation

> Set-AWSSamlRoleProfile -StoreAs 'SAMLUser' -EndpointName $EndpointName

Specify credentials of an Active Directory user

> $Credential = Get-Credential -Message "Enter the domain credentials for the endpoint"
> Set-AWSSamlRoleProfile -EndpointName $EndpointName -NetworkCredential $credential -StoreAs 'SAMLUser'

5.    Choose the role that you want to assume, input your wanted role, and run a command similar to the following:  

Select Role
Select the role to be assumed when this profile is active
[A] A - 696295227321:role/ADFS-DevAdmin  [B] B - 123456789012:role/ADFS-DevReadOnly  [?] Help (default is "A"): A
SAMLUser

6.    Confirm that users can access the AWS CLI using the federated credentials and the specified profile by running a command similar to the following:  

Get-IAMSAMLProviderList -ProfileName SAMLDemoProfile

Solution 2: Python for AD FS using IWA (default for AD FS 2.0)

1.    Install the following modules to Python: 

  pip install --upgrade boto beautifulsoup4 requests

2.    Implement Federated API and CLI Access Using SAML 2.0 and AD FS and download the script from the blog post.

3.    Open the script and modify the following variables:

    region = 'eu-west-1'
    outputformat = 'json'
    awsconfigfile = '/.aws/credentials'
    idpentryurl = 'https://adfs.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices'

4.    Set your preferred region and output format, replace adfs.example.com with your URL, and enter the fully qualified domain name (FQDN) of your AD FS server. If you have an alternate file path for your AWS credentials file, specify the file path.

5.    Save your changes, execute the file, and populate the following fields as they appear: 

   bob@Ubuntu64:~$ ./working_samlapi.py
   Username: bob@example.com
   Password: ***********

   Please choose the role you would like to assume:
   [ 0 ]:  arn:aws:iam::123456789012:role/ADFS-DevAdmin
   [ 1 ]:  arn:aws:iam::123456789012:role/ADFS-DevReadOnly

   Selection:  0

   ----------------------------------------------------------------
   Your new access key pair has been stored in the AWS configuration file /home/ec2-user/.aws/credentials under the saml profile.
   Note that it will expire at 2018-03-14T14:57:45Z.
   After this time, you may safely rerun this script to refresh your access key pair.
   To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
   ----------------------------------------------------------------

6.    After you have successfully federated, execute commands using the newly configured SAML profile using the --profile parameter in your commands.  

   bob@Ubuntu64:~$ aws iam list-saml-providers --profile saml
   {
       "SAMLProviderList": [
           {
               "CreateDate": "2018-03-14T13:28:24Z",
               "ValidUntil": "2118-03-14T13:28:23Z",
               "Arn": "arn:aws:iam::123456789012:saml-provider/adfs"
           }
      ]
   }

Solution 3: Python for AD FS using form-based authentication (default for AD FS 3.0 and 4.0)

1.    Install the following modules to Python: 

pip install --upgrade boto beautifulsoup4 requests

2.    Implement a General Solution for Federated API/CLI Access Using SAML 2.0 and download the script from step 4 of the blog post.

3.    Follow steps 3-6 for Solution 2: Python for AD FS using IWA (default for AD FS 2.0).


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-04