AWS CLI v2 sso login acknowledgement

[gchamon]

Hey there. Long time aws-azure-login user! Thanks for this project, as this has been an integral part of my local management stack for developers using AWS resources.

However, with aws cli v2, there is now a way for users to login using SSO which is native to the command line client. This project README says that there is no easy way to login using AWS CLI if you use SSO, and although that is still true for users with IAM Identity Provider federation, this isn't the case anymore for AWS IAM Identity Center SSO.

Maybe it would be interesting to acknowledge this fact and have the project suggest its use for legacy purposes. I think this is the most responsible way to go forward, as it is most advisable to use native solutions that are maintained by the cloud provider whenever possible.

[MohamedAsan]

Hi @gchamon,

It would be great if you could provide link to doc(s) for the approach you have mentioned. I would like to try that out for my org

[gchamon]

@MohamedAsan you have to setup AWS IAM Identity Center with external IDP federation over SAML.

Your IDP, however, must implement SCIM, in order for it to provision the required groups and users, mirroring your IDP.

After you setup an external IdP to AWS Identity Center, a secret will be generated, which is used with the SCIM endpoint for automatic provisioning.

After that, you setup permission sets and associate users/groups provisioned to your aws accounts using those permission sets.

the TLDR: https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html

It is also interesting to read the key concepts: https://docs.aws.amazon.com/singlesignon/latest/userguide/understanding-key-concepts.html

A list of officially supported IdPs (those tested by AWS and which have corresponding tutorials on how to integrate them with AWS): https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html

SCIM is an open standard however. You could even use Keycloak for instance with SCIM plugin in theory and it should work.

example Azure AD: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial

How to setup automatic provisioning and what it is: https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html

Actually logging in with aws CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

It is a tad bit more convoluted than to setup basic Identity Provider using saml in IAM and then using the tenant and app credentials to authenticate using this project. It is however the official way AWS supports SSO login for AWS CLI and I think this is the recommended way.

[MohamedAsan]

@gchamon Thanks a lot 👍

[realtimerick]

Some customers (are too big) and don't want to change. So your solution stil helps me a lot!

[gchamon]

@realtimerick I am not sure I understand your comment. You mean, customers that use aws-azure-login and are unable to switch to sso via identity center? If this is the case, I never said the project should be tossed aside. This project is perfect for customers using identity providers, but it should not recommend its use for new customers, since there is an officially supported way to login using sso in Aws cli.