amazon-web-servicesaws-clifederated-identity

Can AWS CLI be used with a federated login?


I login to AWS with my Active Directory account in my company. We are using federated login, as described here:

Federated Users and Roles

Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).

My company has a Security Token Service (STS) which is a SAML provider.

I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?


Solution

  • Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/