ELI5: AWS CLI and SSO

2

I like to use the AWS PowerShell and CLI tools from my workstation for quick ad-hoc activities. I have these configured to use an IAM account I created for myself that has API keys.

In this modern world of "SSO for all the things", I'd like to understand my best route to change to using my existing SSO account (via Azure AD w/ MFA) for command line activities instead. Is there an AWS native solution?

  • For those confused, "ELI5" means "Explain Like I'm 5". :-)

4 Answers
4

Take a look at the aws configure sso command for the AWS CLI v2. This command can set up named profiles for IAM roles that you have access to.

AWS
Matt
answered 3 years ago
0

AWS SSO can be used with your IdP of choice. Here is a good lab which describes how to set it up with Azure AD. AWS SSO will manage short term rotation of API Access and Secret key along with a session token.

AWS
answered 3 years ago
  • You may have missed the "ELI5" and "CLI" portions of my question?

    I do, of course, use SSO every day for console access. This question, to be painfully clear, is about CLI though.

  • AWS SSO gives your role both console and CLI access. You can just copy / paste your access, secret, & session keys from the AWS SSO sign-in page. Alternatively, this doc may help you set up the CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

0

Hello Eli5, an AWS native solution would be for you enable AWS SSO and integrate it with your Azure AD [https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html]. Once this is done, you can authenticate to the AWS SSO console (using your Azure AD creds) and then select the Command Line from dashboard and get the temp credentials for CLI access. Without the AWS SSO, you may want to use third-party tools such as: https://blog.migrationking.com/2020/09/how-to-login-to-aws-using-cli-with.html https://github.com/sportradar/aws-azure-login

answered 3 years ago
0

Hi, for sure you have to check out aws configure sso command of the AWS CLI.

My point is, that seeing how AWS manages the sso directory in a plain text file inside the ~/.aws/ folder, as posted here, I prefer to manage these credentials with an open-source tool: Leapp

Btw, with Leapp I can also manage multiple AWS Single-Sign-On access at the same time, and at the same time, it manage Azure credentials too

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions