I want to test SAML 2.0 federation and commands using the AWS Command Line Interface (AWS CLI) for testing purposes and to verify API calls. How can I do this?

Before you begin, confirm that you configured the following:

  • An instance with the AWS CLI installed, or have the AWS CLI installed on your local system.
  • A SAML federation server.
  • Role Amazon Resource Name (ARN), identify provider (IdP) ARN, and SAML Response.

Follow these instructions to make the API call, save the output to a text file, and then use it to call an API command with the AWS CLI.

Note: You must have the SAML response from your IdP. This example uses AD FS 2.0, which doesn't have an API call set up to get a response.

Get SAML Response from developer tools.

1.    Follow the instructions for How to View a SAML Response in Your Browser for Troubleshooting.

2.    Scroll to the logs and open the SAML log file.

3.    Copy the entire SAML response.

Run this command with AWS CLI on your instance to save the credentials.

1.    Paste the SAML response at the end of this command, and run it to call the STS token:

aws sts assume-role-with-saml --role-arn arn:aws:iam::ACCOUNTNUMBER:role/IAM_ROLE --principal-arn arn:aws:iam::ACCOUNTNUMBER:saml-provider/SAML_PROVIDER --saml-assertion BASE64_ENCODED_RESPONSE | \\

awk -F:  '
                BEGIN { RS = "[,{}]" ; print "[PROFILENAME]"}
                /:/{ gsub(/"/, "", $2) }
                /AccessKeyId/{ print "aws_access_key_id = " $2 }
                /SecretAccessKey/{ print "aws_secret_access_key = " $2 }
                /SessionToken/{ print "aws_session_token = " $2 }
' >> ~/.aws/credentials

This saves the credentials in a profile inside the ~/.aws/credentials file. To make a backup, use this command:

cp -a ~/.aws/credentials ~/.aws/credentials.bak.

Note: Make sure you have a matching profile in ~/.aws/config with the output and region set, so that you are not repeatedly prompted to enter it.

Use saved credentials to run an AWS CLI command for testing.

Now that you have the credentials saved, you'll call it using the --profile parameter on your AWS CLI calls. For example:

aws ec2 describe-instances --profile PROFILENAME

Example outputs:

assume-role-with-saml output without piping to a file:

    "SubjectType": "persistent",
    "AssumedRoleUser": {
       "AssumedRoleId": "ROLE_ID_NUMBER:example@corp.example.com",
       "Arn": "arn:aws:sts::ACCOUNTNUMBER:assumed-role/ROLE_ID/example@corp.example.com"
    "Audience": "https://signin.aws.amazon.com/saml",
    "NameQualifier": "RANDOM_GENERATED_STRING",
    "Credentials": {
       "SecretAccessKey": "SECRET_ACCESS_KEY",
       "SessionToken": "TOKEN_KEY",
       "Expiration": "2015-05-11T20:00:49Z",
       "AccessKeyId": "ACCESS_KEY_ID"
"Subject": "CORP\\\\EXAMPLE",
"Issuer": "http://SERVER_NAME.corp.example.com/adfs/services/trust"

assume-role-with-saml output piped to the credentials file:

aws_access_key_id =  ACCESS_KEY_ID
aws_session_token =  SESSION_TOKEN
aws_secret_access_key =  SECRET_ACCESS_KEY

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-08-28

Updated: 2019-01-25