Many of us use AWS IAM key to use CLI. However, it is not very difficult to implement SSO if you are using any AD like Azure AD. It assumes role and grant access to AWS resources.
I had enabled Azure AD SSO to AWS console, which is simply brilliant. This makes the user access so seamless that you do not need to worry if your ex employees still have AWS access.
Just with a click of a button you can enable or disable AWS Access. I had followed following instructions to enable AWS access:
We have been using AWS API and CLI extensively for our project needs. Creating IAM user to use AWS CLI defeats the purpose of AWS SSO. We can very well create multiple roles and assign user to access the same. There are a few documents that I could find, but the easiest was the one pointed by the AWS Support Team:
PLEASE NOTE THIS TOOL WORKS OK 7.4 AND ABOVE VERSION OF NODE.JS.
You will need couple of things to use this tool to configure your AWS access – Tenant ID, and Application ID URI. Tenant ID is the unique GUID of your active directory, and APP ID URI identifies your application within the tenant. I thought it would be easier to find in Azure, but unfortunately it is not. In absence of a clear cut documentation, I struggled little bit to location this information. Azure UI is becoming more and more complex, and I thing they add indexed search to find any information.
Anyway, here is how I found these attributes:
Here are the steps to get the Tenant Id:
1) Login to the azure portal – portal.azure.com
2) Open ‘Azure Active Directory’ by clicking the application link on the left panel.
3) Click ‘Properties’ in the ‘Azure Active Directory’ window. What you see as the Directory Id is the Tenant Id.
App ID URI
Azure gives you two different option to find details of your information. The first one is navigating through Enterprise Applications -> All Applications -> -> Properties, and the second is through App Registrations -> -> Settings -> Properties. Interestingly the former doesn’t show the ‘Application ID URI’. You need to navigate through the later path to find the App ID URI.
Once this is done, you need to setup your AWS profile to setup CLI. Here are the commands:
$ aws configure –profile <>
$ aws-azure-login –configure –profile <>
This create a named profile. You also have an option to create default profile. In that case you do not need to specify profile.
Its all set. You can start using AWS CLI using this access mechanism. This is simple, but information is scattered all over. Please do not hesitate to reach out if you get stuck anywhere.
And yes, do not forget to run the ‘aws’ command with –profile option if you have created a named profile.