{"id":1343,"date":"2019-04-18T15:53:57","date_gmt":"2019-04-18T20:53:57","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=1343"},"modified":"2019-04-18T15:53:59","modified_gmt":"2019-04-18T20:53:59","slug":"azure-ad-sso-login-to-aws-cli","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/azure-ad-sso-login-to-aws-cli\/","title":{"rendered":"Azure AD SSO Login to AWS CLI"},"content":{"rendered":"\n<p>Note out of scope here is setting up the services itself.  This article is about using a Node application to login to Azure on a client and then being able to use the AWS CLI.  Specifically this information applied to a Linux desktop. <\/p>\n\n\n\n<p>Setting up the services are documented here: https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/saas-apps\/amazon-web-service-tutorial<\/p>\n\n\n\n<p>We are following this tutorial https:\/\/github.com\/dtjohnson\/aws-azure-login and focussed on one account having an administrative role and then switching to different accounts which allows the original role to administer resources.<\/p>\n\n\n\n<p><strong>Linux Lite 4.4 OS Setup<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n# cat \/etc\/issue\nLinux Lite 4.2 LTS \\n \\l\n# apt install nodejs npm\n# npm install -g aws-azure-login --unsafe-perm\n# chmod -R go+rx $(npm root -g)\n# apt install awscli \n<\/pre><\/div>\n\n\n<p><strong>Configure Named Profile (First Time)<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ aws-azure-login --profile awsaccount1 --configure\nConfiguring profile \u2018awsaccount1\u2019\n? Azure Tenant ID: domain1.com\n? Azure App ID URI: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\n? Default Username: myaccount@domain1.com\n? Default Role ARN (if multiple): \narn:aws:iam::xxxxxxxxxxxx:role\/awsaccount1-Admin-Role\n? Default Session Duration Hours (up to 12): 12\nProfile saved.\n<\/pre><\/div>\n\n\n<p><strong>Login with Named Profile<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ aws-azure-login --profile awsaccount1\nLogging in with profile \u2018awsaccount1\u2019...\n? Username: myaccount1@mydomain1.com\n? Password: &#x5B;hidden]\nWe texted your phone +X XXXXXXXXXX. Please enter the code to sign in.\n? Verification Code: 213194\n? Role: arn:aws:iam::xxxxxxxxxxxx:role\/awsaccount1-Admin-Role\n? Session Duration Hours (up to 12): 12\nAssuming role arn:aws:iam::xxxxxxxxxxxx:role\/awsaccount1-Admin-Role\n<\/pre><\/div>\n\n\n<p><strong>Update Credentials File For Different Accounts to Switch Roles To<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ cat .aws\/credentials \n&#x5B;awsaccount2]\nregion=us-east-1\nrole_arn=arn:aws:iam::xxxxxxxxxxxx:role\/awsaccount1-Admin\nsource_profile=awsaccount1\n\n&#x5B;awsaccount3]\nregion=us-east-1\nrole_arn=arn:aws:iam::xxxxxxxxxxxx:role\/awsaccount1-Admin\nsource_profile=awsaccount1\n\n&#x5B;awsaccount1]\naws_access_key_id=XXXXXXXXXXXXXXXXXXXX\naws_secret_access_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\naws_session_token=&quot;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==&quot;\naws_session_expiration=2019-04-18T10:22:06.000Z\n<\/pre><\/div>\n\n\n<p><strong>Test Access<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$\u00a0aws iam list-account-aliases --profile awsaccount2\n{\n    &quot;AccountAliases&quot;: &#x5B;\n        &quot;awsaccount2&quot;\n    ]\n}\n$\u00a0aws iam list-account-aliases --profile awsaccount3\n{\n    &quot;AccountAliases&quot;: &#x5B;\n        &quot;awsaccount3&quot;\n    ]\n}\n<\/pre><\/div>\n\n\n<p>So next time just login with the named profile awsaccount1 and you have AWS CLI to the other accounts.  Note you will need to make sure ARN's and roles etc are 100% accurate.  It gets a bit confusing.<\/p>\n\n\n\n<p class=\"has-text-color has-vivid-red-color\">Also this is informational and you carry your own risks of accessing the wrong account.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note out of scope here is setting up the services itself. This article is about using a Node application to<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1343","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1343"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1343\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}