This integrates the AWS IAM Identity Center with the Azure AD as a SSO solution.
This integrates the AWS IAM Identity Center with the Azure AD as a SSO solution.
This will use terraform to configure the AWS IAM Identity Center and the Azure AD services as described in the Tutorial: Azure AD SSO integration with AWS IAM Identity Center.
It will create the Azure AD Users, Application, Application Roles, Enterprise Application (aka Service Principal) that can be used to login into AWS.
It will create the homologous AWS Identity Center Users, Groups, and Permissions Sets to login into AWS.
You can test this in the Azure AD of Free Microsoft 365 E5 instant sandbox and in the AWS Free Tier.
Be aware that this is not configuring Automatic User Provisioning. Its creating the users in both directories: Azure AD and AWS Identity Center.
Be aware that the AWS IAM Identity Center can only be connected with a single Azure AD. For more information see the FAQ: Can I connect more than one identity source to IAM Identity Center?.
Be aware of the AWS IAM Identity Center User Guide Troubleshooting section, especially the Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider.
Be aware that although AWS Single Sign-On was renamed to AWS IAM Identity Center, the sso
and identitystore
API namespaces (and terraform names) continue to retain their original name for backward compatibility purposes. For more information, see IAM Identity Center rename.
Create an Azure account.
Create an AWS account, choose a region, and then just enable the IAM Identity Center (this will also enable the AWS Organizations service).
Install the required tools:
Login into Azure:
az login --allow-no-subscriptions
NB If you are using the Free Microsoft 365 E5 instant sandbox, you should login as its administrator.
Ensure the expected account is set as default:
az account show
az account list
az account set --subscription=<tenantId or id>
az account show
Configure the AWS CLI to use a Secret Key to access AWS:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identity
Initialize terraform:
make terraform-init
Launch the example:
make terraform-plan
make terraform-apply
Open the AWS Identity Center page and:
Dashboard
page.External service provider
:
Choose your identity source
link.Identity source
tab, click the Actions
button, and choose Change identity source
.External service provider
.Next
button.Service provider metadata
section:
IAM Identity Center Assertion Consumer Service (ACS) URL
and paste it into the aws_saml_acs
variable value inside the aws-permissions.tf
file.IAM Identity Center issuer URL
and paste it into the aws_saml_entity_id
variable value inside the aws-permissions.tf
file.make terraform-plan
and review the plan.make terraform-apply
and wait for it to finish.terraform output -raw saml_metadata_document >azure-ad-idp-saml-metadata.xml
Identity provider metadata
, IdP SAML metadata
section:
Choose file
button, and upload the azure-ad-idp-saml-metadata.xml
file created in the previous step.Next
.Change identity source
.Show the AWS access portal URL
(aka SSO start URL):
terraform output -raw aws_access_portal_url
Open the AWS access portal URL
in a web browser, and login with the Alice
credentials:
terraform output -raw alice_email
terraform output -raw alice_password
Open a new shell session, and configure the AWS CLI to use a SSO generated
token to access AWS as Alice
:
aws configure sso
The questions, answers, and output will be something alike:
SSO session name (Recommended): cli
SSO start URL [None]: https://d-0000000000.awsapps.com/start
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.eu-west-1.amazonaws.com/
Then enter the code:
0000-0000
The only AWS account available to you is: 00000000
Using the account ID 00000000
There are 2 roles available to you.
Using the role name "Readers"
CLI default client Region [None]:
CLI default output format [None]:
CLI profile name [Readers-00000000]: Alice-Readers
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile Alice-Readers
Use the profile, and show the user, user amazon resource name (arn), and the account id:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
export AWS_PROFILE='Alice-Readers'
aws sts get-caller-identity
This should show something alike:
{
"UserId": "000000000000000000000:[email protected]",
"Account": "00000000",
"Arn": "arn:aws:sts::00000000:assumed-role/AWSReservedSSO_Readers_0000000000000000/[email protected]"
}
After you are done testing as Alice
, logout, and exit the shell:
aws sso logout
exit
When you later need to login again, you can skip the aws configure sso
step,
and use aws sso login
as:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
export AWS_PROFILE='Alice-Readers'
aws sso login
aws sts get-caller-identity
After you are done testing, and are ready to destroy everything, return to the
original shell, the one that is using the AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
environment variables, and destroy everything:
make terraform-destroy