Tag Archives: IAM

How to combine Azure AD SSO with AWS programmatic access ?

Since we both use Azure AD (Office365 / LDAP) for the companies user management and AWS for our hosting we already enabled federation between these cloud providers. This works perfectly by assuming an IAM Role through the Azure AD credentials and have console access through single-sing-on.

However to use the AWS CLI a user would need programmatic access and it’s access and secret keys. Luckily for us there is an excellent open-source project for that called aws-azure-login. And since it’s on npm very easy to run on Mac, Linux and Windows.

What do we need ?

  • install the package as mentioned: npm install -g aws-azure-login (or not global if you fancy that)
  • you will need your Azure Tenant ID which the Azure administrator can supply ( Azure AD -> Properties -> Directory ID )
  • and the Azure Application ID and again the Azure administrator ( Enterprise Applications -> Amazon Web Services -> Properties -> Application ID )
  • you might want to know the AWS IAM Role max session duration to prevent some trial on error which your AWS administrator can supply (default is 1 hour)

First we will create an Azure profile:

jvzoggel$ aws-azure-login --configure --profile rubix
Configuring profile 'rubix'
? Azure Tenant ID: some-guid-you-will-need-part-1
? Azure App ID URI: some-guid-you-will-need-part-2
? Default Username:
? Default Role ARN (if multiple):
? Default Session Duration Hours (up to 12): 2

The max session duration on the AWS IAM Role is the last parameter, if you enter a to high value you will receive an error but only after the next step login. So ask first, or trial on error.

Then we actually login on Azure:

jvzoggel$ aws-azure-login --profile rubix --no-prompt
Logging in with profile 'rubix'...
? Password: [hidden]
Please type in the code displayed on your authenticator app from your device
? Verification Code: 424242
Assuming role arn:aws:iam::42:role/rbx-sso-myrole

Since we configured MFA on Azure AD there is also the Verification Code besides the password to provide. When we succeed the aws-azure-login actually generated a profile in the AWS credentials configuration which holds the access and secret key. So let’s check.

Connect to AWS

jvzoggel$ cat /Users/jvzoggel/.aws/credentials


jvzoggel$ export AWS_PROFILE=rubix
jvzoggel$ aws s3api list-buckets
    "Buckets": [
            "Name": "awsamplify-20181220092431-deployment",


Leave a comment

Posted by on 01-02-2019 in Uncategorized


Tags: , , , ,

Using CloudFormation to bootstrap EC2 instances with scripts from CodeCommit

While spinning up EC2 instances you can bootstrap them with packages, files, etc in different ways. For our stack we wanted to pull scripts from an AWS CodeCommit to make life easier.

The (bash) scripts are stored in our CodeCommit so first we need to make sure the EC2 instances, while spinning up, are allowed to access the repository. So we created an IAM Policy with these sufficient rights and attach the policy to a IAM role which we can use to attach to our EC2 instances.

AWS IAM Policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:codecommit:*:*:terra10-scripts"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

We make sure the EC2 instances uses the new IAM Role by defining IamInstanceProfile with our example IAM Role t10-ec2-role in the CloudFormation template. Further on by using the UserData segment we can execute scripts during bootstrap of the server. Install the AWSCLI is required for the credential helper

  Type: AWS::EC2::Instance
    ImageId: !Ref HostAMI
    InstanceType: t2.micro
    IamInstanceProfile: t10-ec2-role
      - Key: Name
        Value: t10-k8s-controller1
      Fn::Base64: !Sub |
        #!bin/bash -xe
        apt-get update
        apt-get -y install awscli
        cd /tmp
        echo "######## git pull AWS CodeCommit files"
        sudo git config --global credential.helper '!aws codecommit credential-helper $@'
        sudo git config --global credential.UseHttpPath true
        sudo git clone /tmp/terra10-scripts


Leave a comment

Posted by on 26-08-2018 in AWS


Tags: , , , ,