Assume AWS SAML Role for the API or AWS CLI
How to assume AWS SAML Role for the API or AWS CLI using ADFS and MFA authentication.
SecureMFA PowerShell module command “Get-sMFA-AWS-Assume_SAML_Role “ allows to assume AWS Role(s) from SAML assertion.
Prerequisites
Configured access to the AWS Management Console for my Active Directory users using federation. As detailed in the following article
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
ADFS service enforces MFA during user authentication. A free version of MFA for ADFS can be configured using “SecureMFA OTP Provider”
https://www.securemfa.com/downloads/mfa-otp
Users must be able to login with SAML Roles into AWS console using AWS relying party from browser
https://FQDN/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
Deployment Steps
1) Deploy latest “SecureMFA” PowerShell Module from Microsoft PSGallery by using bellow PS commands:
Install-Module -Name SecureMFA -Scope AllUsers -Repository PSGallery
2) Update FQDN for "aws_sts_saml_endpoint" in SecureMFA_SupportTools.json to reflect your ADFS service hostname.
3) Run below PS Command. Command will assume available user roles from AWS STS SAML Endpoint and configure 'sMFA-SAML' profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key
Get-sMFA-AWS-Assume_SAML_Role -AWS_ProfileName sMFA-SAML
Deployment Video
Video shows How to assume AWS SAML Role for the API or AWS CLI using ADFS and MFA authentication. It uses SecureMFA PowerShell Module download from Microsoft PowerShell gallery. ADFS MFA authentication for users is enforced with a free provider version (which runs for a limited number of 24 users) that can be downloaded from www.securemfa.com . A Module allows to assume AWS Role(s) from SAML assertation and configure AWS profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key to be used by CLI or API calls.