Skip to main content

Use NetID Authentication with the AWS CLI

Command line access to Northwestern-owned Amazon Web Services accounts should only be done via a federated, NetID-based and MFA-protected IAM role. IAM user credentials should not be used for console access. This document outlines the process of authenticating the AWS Command Line Interface (CLI) to use a NetID-based federated login role.


You must already have done the following:

  1. Set up Multi-Factor Authentication and made sure your Duo settings default to “Duo Push” or “Call Me”.
  2. Ensured your NetID is in the ADS security group that controls access to the IAM role you wish to access.
  3. Installed the AWS CLI on your workstation.

1. Install the aws-adfs Tool

The aws-adfs tool is the recommended method of authenticating via Northwestern’s identity systems. Namely, it uses the Active Directory Federation Services (ADFS) servers maintained by Northwestern IT.

The recommended method of installation is via the pipx tool, which will automatically install a Python application into an isolated environment:

$ python3 -m pip install --upgrade --user pipx # Homebrew users can install with `brew install pipx`
$ pipx ensurepath
$ pipx install aws-adfs

Alternatively, follow the directions on the aws-adfs GitHub project page to install system-wide or in a virtualenv.

Note: You may need to install some system libraries for this installation to succeed, notably libkrb5-dev (Ubuntu) or krb5-devel (RHEL/CentOS).

2. Configure the AWS CLI

Ensure that your ~/.aws/config contains a “Named Profile” for each role you will be accessing. The only configuration item required is region. For example, assuming we have access to two roles, one for development and one for production, we could name the profiles “dev” and “prod” in our ~/.aws/config file:

[profile dev]
region: us-east-2

[profile prod]
region: us-east-2

3. Authenticate with your NetID

To authenticate and use a role for AWS CLI access, use commands such as below, substituting in the appropriate profile name:

$ export AWS_PROFILE=<profile>
$ aws-adfs login --adfs-host --profile <profile>

When prompted, enter your NetID as ads\<NetID> and enter your password. If prompted to choose a role, enter the number of the role you wish to use.

You can now use the AWS CLI as that role. After 4 hours you will need to re-authenticate.

Note: You can be authenticated for multiple roles at once, and switch between them using the AWS_PROFILE environment variable or the --profile argument to the aws command.