ELI5: AWS CLI and SSO

2

I like to use the AWS PowerShell and CLI tools from my workstation for quick ad-hoc activities. I have these configured to use an IAM account I created for myself that has API keys.

In this modern world of "SSO for all the things", I'd like to understand my best route to change to using my existing SSO account (via Azure AD w/ MFA) for command line activities instead. Is there an AWS native solution?

  • For those confused, "ELI5" means "Explain Like I'm 5". :-)

4 個答案
4

Take a look at the aws configure sso command for the AWS CLI v2. This command can set up named profiles for IAM roles that you have access to.

AWS
Matt
已回答 3 年前
0

AWS SSO can be used with your IdP of choice. Here is a good lab which describes how to set it up with Azure AD. AWS SSO will manage short term rotation of API Access and Secret key along with a session token.

AWS
已回答 3 年前
  • You may have missed the "ELI5" and "CLI" portions of my question?

    I do, of course, use SSO every day for console access. This question, to be painfully clear, is about CLI though.

  • AWS SSO gives your role both console and CLI access. You can just copy / paste your access, secret, & session keys from the AWS SSO sign-in page. Alternatively, this doc may help you set up the CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

0

Hello Eli5, an AWS native solution would be for you enable AWS SSO and integrate it with your Azure AD [https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html]. Once this is done, you can authenticate to the AWS SSO console (using your Azure AD creds) and then select the Command Line from dashboard and get the temp credentials for CLI access. Without the AWS SSO, you may want to use third-party tools such as: https://blog.migrationking.com/2020/09/how-to-login-to-aws-using-cli-with.html https://github.com/sportradar/aws-azure-login

已回答 3 年前
0

Hi, for sure you have to check out aws configure sso command of the AWS CLI.

My point is, that seeing how AWS manages the sso directory in a plain text file inside the ~/.aws/ folder, as posted here, I prefer to manage these credentials with an open-source tool: Leapp

Btw, with Leapp I can also manage multiple AWS Single-Sign-On access at the same time, and at the same time, it manage Azure credentials too

已回答 3 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南