Purpose

Access to the AWS Management Console and AWS API for my Active Directory users using federation (AD FS 2). Use Keyring tool for store password.

Main features

• Support AD FS 2 and AD FS 4
• Allow to login to AWS Console
• ALlow to generate AWS Access Key

Usage

Requirements

• Linux (tested on Ubuntu 19.04+) or Windows (tested on 10)
• Python 3 - latest version 3.x
• Python 2 backward compatible
• on Windows, pycrypto require Microsoft Visual C++ Build Tools

Installation

pip3 install awssaml

Configuration file

All configuration is stored in ~/.aws/config file.

Basic configuration

[samlapi]
identity_url = https://adfs.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
region = eu-west-1
adfs_connection = ntlm

Advanced samlapi configuration

Use different ADFS connection methods

• ntlm - Use NTLM authentication (default)
• web_form - Use web form authentication

Set default username

[samlapi]
#...
username = [SAML User]

Default session duration

Setup 12 hours (it's 43200 seconds):

[samlapi]
#...
session_duration = 43200

Advanced profile configuration

You can setup custom profiles to reuse. Sample configuration entry for profile:

[profile nonprod-application1]
role_arn = arn:aws:iam::[ID]:role/[role]
principal_arn = arn:aws:iam::[ID]:saml-provider/[provider]
source_profile = nonprod
session_duration = 43200

Usage:

> awssaml api nonprod-application1
> awssaml console nonprod-application1

Reference

• How to Implement Federated API
• How to grant my Active Directory users access to the API or AWS CLI with AD FS?