Setup the SAML link between Azure AD and AWS
The following is taken from https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial but has been cut down to just the relevant bits and steps rearranged into a more logical order.
- Login to Azure - https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId
- Click New Application
- Search for 'aws single account access', click the tile and click 'Create'.
- Once it has finished creating the application, click the properties tab on the left. Change the name to reflect the account ID that you are connecting to. For example 'AWS Prod Account ID123456789'
- Select 'Single sign-on' from the left menu and choose 'SAML'. Select 'No, I'll save later' to the prompt that appears
Edit the 'Basic SAML Configuration' section. The Entity ID must be unique. If this is your first SSO link to AWS then you can use the defaults. If you are setting up multiple accounts you must add a hash with the next available number. All configured accounts are details at the bottom. Click 'Save' and close when this is populated
Edit the 'SAML Signing Certificate' section. Click 'New Certificate'. In the Notification Email Addresses section, remove any emails address that are auto populated and add the address you want to receive expiry notifications to. Click 'Save'. Click the 3 dots next to the thumbprint of the certificate you've just made (the one with the latest expiration date). Click 'Download federated certificate XML and save it to your computer (you'll need this later). Click the 3 dots again and click 'Make certificate active'. Click save and close the window.
Open the AWS Management Console and log into the account you are setting up with SSO.
Search for the IAM service and open it. Click Identity providers then 'Add provider'. Leave SAML selected. Enter AzureAD as the provider name. Click 'Choose file' under Metadata document and find the XML file downloaded previously. Click 'Add provider' at the bottom.
Open 'Roles' in the left menu and click 'Create Role'. Click SAML 2.0 federation along the top. In the SAML provider dropdown, select AzureAD. Tick 'Allow programmatic and AWS Management Console access then click 'Next: Permissions'. Select the permissions required for the role you are creating. You can repeat this step and create as many roles as required to map to your 365 groups/users. Click 'Next:Tags' then 'Next: Review. Give the role a meaningful name that describes the name/purpose of the AWS account and the role you have created within it for example Dev-Admin. In the role description box, briefly describe what this role is for, for example 'Azure AD mapping for admin role'. Click 'Create role'.
Open 'Policies' in the left menu and click 'Create Policy'. Click the JSON tab. Replace the contents with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
}
]
}
Click 'Next:Tags', click 'Next:Review'. In the name field, enter AzureAD_SSOUserRole_Policy. For Description, enter This policy will allow to fetch the roles from AWS accounts. Click 'Create Policy'.
Open 'Users' in the left menu and click 'Add user'. Enter the user name as AzureADRoleManager. Select 'Programmatic access'. Click 'Next:Permissions'. Select 'Attach existing policies directly' from the top. Search for the newly created policy in the filter section AzureAD_SSOUserRole_Policy and select it. Click 'Next:Tags', 'Next:Review', 'Create user'. Copy the Access key ID and Secret access key somewhere safe.
- Go back to the Azure portal. Click 'Provisioning' within the app you made earlier. Click 'Get started'. Change the Provisioning Mode to Automatic. In the 'clientsecret' box, enter the Access key ID. In the 'Secret Token' box, enter the Secret access key. Click Test Connection to make sure it works. Click Save and close the window.
- Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps and select 'All applications'. Click on the application you have just added. Click 'App roles' on the left. Click 'Create app role'. Give it a relevant name for example 'Admins'. Under 'Allowed member types' select Users/Groups. In the Value field, enter the name of the role you created in step 10. Give it a relevant description for example 'Grants users the Dev-Admin role'.
Click 'Users and groups' on the left hand menu then click Add user/group. Select the user/group you want to give access to. Try to keep this to using 365 groups such as 'AWS Admins). Under 'Select a role', choose the role you created above. Be sure to select the one that corresponds to the role name in AWS for example Dev-Admin. Click 'Assign'. If you don't see your role in here, give it up to 40 minutes to resync.
CLI Access
The following is taken from https://github.com/Versent/saml2aws and https://github.com/Versent/saml2aws/blob/master/doc/provider/aad/README.md
Run the command vi .saml2aws and insert the contents below into the file:
[prod]
name = default
app_id = the application id in Azure
url = https://account.activedirectory.windowsazure.com
username = youremail@address.com
provider = AzureAD
mfa = Auto
skip_verify = false
timeout = 0
aws_urn = urn:amazon:webservices
aws_session_duration = 3600
aws_profile = prod
resource_id =
subdomain =
role_arn = arn:aws:iam::accountnumber:role/rolename
region = eu-west-1
http_attempts_count =
http_retry_delay =
credentials_file =
saml_cache = false
saml_cache_file =
target_url =
disable_remember_device = false
disable_sessions = false
[dev]
name = default
app_id = the application id in Azure
url = https://account.activedirectory.windowsazure.com
username = youremail@address.com
provider = AzureAD
mfa = Auto
skip_verify = false
timeout = 0
aws_urn = urn:amazon:webservices
aws_session_duration = 3600
aws_profile = dev
resource_id =
subdomain =
role_arn = arn:aws:iam::accountnumber:role/rolename
region = eu-west-1
http_attempts_count =
http_retry_delay =
credentials_file =
saml_cache = false
saml_cache_file =
target_url =
disable_remember_device = false
disable_sessions = false
You can then launch your terminal and run saml2aws login -a prod or saml2aws login -a dev. This will prompt for your AD password then save a set of cached credentials for CLI access. You can then run CLI commands in this format - aws --profile prod ec2 describe-instances or aws --profile dev ec2 describe-instances
You can setup additional profiles in the .\saml2aws file by using the above examples and changing out the app_id, aws_profile and role_arn. These values must correspond to the APP ID in Azure, have a unique aws_profile value which describes the account and have a role_arn that matches the role name in Azure/AWS.