Command line access to Northwestern-owned Amazon Web Services accounts should only be done via a federated, NetID-based and MFA-protected IAM role. IAM user credentials should not be used for console access. This document outlines the process of authenticating the AWS Command Line Interface (CLI) to use a NetID-based federated login role.
You must already have done the following:
- Set up Multi-Factor Authentication and made sure your Duo settings default to “Duo Push” or “Call Me”.
- Ensured your NetID is in the ADS security group that controls access to the IAM role you wish to access.
- Installed the AWS CLI on your workstation.
1. Install the
aws-adfs tool is the recommended method of authenticating via Northwestern’s identity systems. Namely, it uses the Active Directory Federation Services (ADFS) servers maintained by Northwestern IT.
The recommended method of installation is via the
pipx tool, which will automatically install a Python application into an isolated environment:
$ python3 -m pip install --upgrade --user pipx # Homebrew users can install with `brew install pipx` $ pipx ensurepath $ pipx install aws-adfs
Alternatively, follow the directions on the aws-adfs GitHub project page to install system-wide or in a virtualenv.
Note: You may need to install some system libraries for this installation to succeed, notably libkrb5-dev (Ubuntu) or krb5-devel (RHEL/CentOS).
2. Configure the AWS CLI
Ensure that your
~/.aws/config contains a “Named Profile” for each role you will be accessing. The only configuration item required is
region. For example, assuming we have access to two roles, one for development and one for production, we could name the profiles “dev” and “prod” in our
[profile dev] region: us-east-2 [profile prod] region: us-east-2
3. Authenticate with your NetID
To authenticate and use a role for AWS CLI access, use commands such as below, substituting in the appropriate profile name:
$ export AWS_PROFILE=<profile> $ aws-adfs login --adfs-host ads-fed.northwestern.edu --profile <profile>
When prompted, enter your NetID as
ads\<NetID> and enter your password. If prompted to choose a role, enter the number of the role you wish to use.
You can now use the AWS CLI as that role. After 4 hours you will need to re-authenticate.
Note: You can be authenticated for multiple roles at once, and switch between them using the
AWS_PROFILE environment variable or the
--profile argument to the