Using SAML on AWS from the CLI

Hey folks, I just wanted to write up a quick post about how I’m using SAML to login to the AWS CLI at work. There is plenty of content out there for how to configure access to the AWS console so I’m not going to talk about that. Instead, I will focus on how to use SAML for command line access using the AWS CLI tools. Specifically, how to get it working with Azure MFA and some of the issues I have run into along the way.

First, you can access the fully working sample at https://github.com/asagage/aws-saml-cli. Please feel free to fork, PR raise issues etc.

This code is based off the blog post here https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/ but was tweaked to work with Azure MFA.

By using this tool, now you can simply type `saml` at the mac command prompt, enter your username and password, authenticate on your MFA authenticator, then choose which SAML role to assume. The script will save your sts token into your shell for immediate use and store the credentials in your aws config profile under the “saml” profile for use up to one hour later.

When trying to follow the guide above, I ran into issues where the flow was a bit different since we were using Azure MFA in addition to ADFS. After a lot of trial and effort, I found the right parameters and syntax to get the requests fired off and to get a valid SAML response.

One issue we had was there was a different UI experience in Azure MFA if a user had a phone number set in the directory or not. So if you are seeing odd issues where the flow is different for different users, check the phone number field in Active directory.

Also please be aware that the max duration these credentials can be used is 1 hour due to a limit on the AssumeRoleWithSAML API call. Although you can extend this timeout with simple MFA on an IAM user, you can not extend this when assuming a SAML role.

Leave a Reply

Your email address will not be published. Required fields are marked *