If your organization uses Azure Active Directory to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the AWS CLI. This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
- Does not publish to only to docker hub.Not to npm packages.
- Alpine image with latest pupteer is used for security fixes and small image
- Launch script have flags for
debugandlatestimage.
- aws cli must be installed. For running aws commands.
- A local Docker: https://docs.docker.com/install/
Install the command ( a wrapper that runs a dockerized command) in a folder in your path. It could be /usr/local/bin as shown below:
sudo curl -o /usr/local/bin/aws-azure-login https://raw.githubusercontent.com/searchmetrics/aws-azure-login/master/docker-launch-alpine.sh
sudo chmod o+x /usr/local/bin/aws-azure-loginThis script is basically a wrapper for running Docker image has been built with aws-azure-login preinstalled. You can also simply run the command with a volume mounted to your AWS configuration directory.
docker run --rm -it -v ~/.aws:/root/.aws searchmetrics/aws-azure-loginThe Docker image is configured with an entrypoint so you can just feed any arguments in at the end.
A configuration file is shared internaly to simplify the configuration. This file should be saved as ~/.aws/config.
You will also need our company AZURE_TENANT_ID and your AZURE_APP_ID which is associated to your AWS Account. You can find both listed in the link List of Azure App Ids.
To configure the default profile run:
aws-azure-login --configureTo configure an AWS named profile run:
aws-azure-login --configure --profile sanThis will create the profile san in ~/.aws/config.. Answer the questions similar to the example:
[profile dev]
azure_tenant_id=290fcf70-c0bd-4d9c-ab8e-a93624630763
azure_app_id_uri=09d3ae02-996c-4445-9911-5cd6e31ee9ce #for sandbox, will change per app
[email protected]
azure_default_role_arn=o365-developer # desired role
azure_default_duration_hours=3 # may also need to be increased for role in IAM consoleWe also suggests opening ~/.aws/config and adding
[profile san]
...
region=eu-west-1 Once aws-azure-login is configured, you can log in. For the default profile, just run:
aws-azure-loginYou will be prompted for your username and password. If MFA is required you'll also be prompted for a verification code or mobile device approval. To log in with a named profile:
aws-azure-login --profile sanOnce you log in you can use the AWS CLI or SDKs as usual!
Test with something like
aws --profle=san s3 ls