awssaml 1.0.0

Security Assertion Markup Language (SAML) for Amazon.

Purpose

Access to the AWS Management Console and AWS API for my Active Directory users using federation (AD FS 2). Use Keyring tool for store password.

Main features

• Support AD FS 2 and AD FS 4
• Allow to login to AWS Console
• ALlow to generate AWS Access Key

Usage

Requirements

• Linux (tested on Ubuntu 19.04+) or Windows (tested on 10)
• Python 3 - latest version 3.x
• Python 2 backward compatible
• on Windows, pycrypto require Microsoft Visual C++ Build Tools

Installation

pip3 install awssaml

Configuration file

All configuration is stored in ~/.aws/config file.

Basic configuration

[samlapi]
identity_url = https://adfs.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
region = eu-west-1
adfs_connection = ntlm

Advanced samlapi configuration

Use different ADFS connection methods

• ntlm - Use NTLM authentication (default)
• web_form - Use web form authentication

Set default username

[samlapi]
#...
username = [SAML User]

Default session duration

Setup 12 hours (it's 43200 seconds):

[samlapi]
#...
session_duration = 43200

Advanced profile configuration

You can setup custom profiles to reuse. Sample configuration entry for profile:

[profile nonprod-application1]
role_arn = arn:aws:iam::[ID]:role/[role]
principal_arn = arn:aws:iam::[ID]:saml-provider/[provider]
source_profile = nonprod
session_duration = 43200

Usage:

> awssaml api nonprod-application1
> awssaml console nonprod-application1

Reference

• How to Implement Federated API
• How to grant my Active Directory users access to the API or AWS CLI with AD FS?