AWS — Adding Azure AD SSO including AWS CLI

There are plenty of good resources out there which explains clearly and precisely how to integrate AAD with AWS for federated login as well as how to access AWS CLI with federated token and AWS temporary credentials. But most of the articles explain one or the other rather than both. My goal here is to put all those configurations steps I followed into one article and share with you.

Add Amazon Web Services from gallery

1. Add Amazon Web Services from Azure Portal — Click on Azure Active Directory (Azure AD) and add new AWS application under Enterprise Applications. (AWS application is available to add from the gallery)

Configure Azure AD Single sign-on

1. In the Azure portal, on the Amazon Web Services (AWS) application integration page, select Single sign-on.
2. Select SAML/WS-Fed mode to enable single sign-on from Select a Single sign-on method dialog.
3. Basic SAML Configuration dialog — All the necessary configurations are pre-configured and the necessary URLs are already pre-populated with Azure. Just click, Save button to save the configurations.

Note: For any additional IDP instance for different AWS accounts needs to have an identifier value with # followed by unique SAN value on Basic SAML Configuration as follows.

https://signin.aws.amazon.com/saml#2Add 

4. Add following AWS specific claims from User Attributes

5. In the SAML Signing Certificate section, click Download to download the Federation Metadata XML and save it on your computer.

Configure Amazon Web Services (AWS) for SSO

1. In a different browser window, sign-on to your Amazon Web Services (AWS) account. For this your IAM user needs to have Admin access, else needs to login to the AWS account as the root user.
2. Go to IAM service and click Identity Providers to create a new provider.

3. On the Configure Provider dialog page, perform the following steps:

• Select SAML as provider type.
• Type a Provider Name. (e.g. WAAD)
• Upload the Federation Metadata XML download previously to Metadata Document.
• Click Next Step, verify the provider details and click Create.

4. Create AWS IAM Roles for AD users. Create many IAM roles as required using the following key steps:

• Select SAML 2.0 federation under Select type of trusted entity while creating a new IAM role.
• Under Choose a SAML 2.0 Provider section, select the SAML provider you have created previously (e.g. WAAD)

Create an IAM role and a user for Azure AD User Provisioning

For Azure AD to get all the federated IAM Roles it needs an IAM user and permission to list all the resources on the IAM service to that user.

1. Create a new IAM Policy (e.g. AzureAD_SSOUserRole_Policy) from the IAM service with following JSON as the policy document:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "iam:ListRoles"
         ],
         "Resource":"*"
      }
   ]
}

2. Create an IAM user (e.g AzureADRoleManager) with policy created on the previous step, attached.

Make sure to select Programmatic access option while creating Azure AD provisioning user for security best practice.

3. Review the user details, and click Create to create the user. Download the credentials file and close the dialog box.

Configuring Azure AD provisioning

1. Navigate to User Provisioning section of Amazon Web Services app in Azure AD Management Portal.
2. Enter the Access Key and Secret of the Azure AD provisioning user created in the Client Secret and Secret Token field respectively and test the connection by clicking the Test Connection button.
3. Finally, make the provisioning settings On and save the settings.

Getting temporary credentials for a federated user to use AWS CLI

If you to provide Azuew AD SSO login to the AWS console, log in on the command line or to use the AWS CLI, then there is no easy way for that. Luckily there is one open-source tool named aws-azure-login is there which can do this both easily.

It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.

The tool is available for Windows, Linux, and Mac platforms and one can easily follow the step-by-step readme file provided on the tool’s GitHub repository.

dtjohnson/aws-azure-login

1. Configure the tool. For this, you need the Azure tenant Id and the App Id URI.

aws-azure-login --configure

To configure a named profile follow below command:

aws-azure-login --configure --profile foo

2. To use login enter the following command, and follow the prompts to enter the username, password, and verification code if MFA is enabled:

aws-azure-login

To log in with default values you can set the following environment variables:

AZURE_TENANT_ID
AZURE_APP_ID_URI
AZURE_DEFAULT_USERNAME
AZURE_DEFAULT_PASSWORD
AZURE_DEFAULT_ROLE_ARN
AZURE_DEFAULT_DURATION_HOURS

and then log in using the following command:

aws-azure-login --no-prompt

For log in to named profile:

aws-azure-login --profile foo

References

1. https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial
2. https://github.com/dtjohnson/aws-azure-login