Assume AWS SAML Role for  the API or AWS CLI

How to assume AWS SAML Role for  the API or AWS CLI using ADFS and MFA authentication.

 

SecureMFA PowerShell module command “Get-sMFA-AWS-Assume_SAML_Role “ allows to assume AWS Role(s) from SAML assertion. 

Prerequisites

 

 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

 https://www.securemfa.com/downloads/mfa-otp

 https://FQDN/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices

 

Deployment Steps

1) Deploy latest “SecureMFA” PowerShell Module from Microsoft PSGallery by using bellow PS commands:

Install-Module -Name SecureMFA -Scope AllUsers -Repository PSGallery

2) Update FQDN for "aws_sts_saml_endpoint" in SecureMFA_SupportTools.json to reflect your ADFS service hostname.

3) Run below PS Command. Command will assume available user roles from AWS STS SAML Endpoint and configure 'sMFA-SAML' profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key 

Get-sMFA-AWS-Assume_SAML_Role -AWS_ProfileName sMFA-SAML

Deployment Video

Video shows How to assume AWS SAML Role for the API or AWS CLI using ADFS and MFA authentication. It uses SecureMFA PowerShell Module download from Microsoft PowerShell gallery. ADFS MFA authentication for users is enforced with a free provider version (which runs for a limited number of 24 users) that can be downloaded from www.securemfa.com . A Module allows to assume AWS Role(s) from SAML assertation and configure AWS profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key to be used by CLI or API calls.