Skip to main content
GSA Logo

Cloud Economics

About MCaaS

saml2aws

saml2aws CLI tool which enables you to login and retrieve AWS temporary credentials using a helix authentication. This is a CLI used to manage multiple AWS account credentials when authenticating via SAML at the same time. Accounts are organized in groups, which can be refreshed using one command.

See Robert Garcia's video for how to configure and use this tool in MCaaS.

Caveat

Currently the installation process is not successful on GFE. It only works in VDI.

Installation

Create a Service Now ticket via GSA IT Self Service Portal, requesting saml2aws to be installed on your VDI.

Or, if you have permission, you can install this yourself on your VDI:

  • To install saml2aws go to link: (https://github.com/Versent/saml2aws/releases), then click on one of the zip files for windows, this should automatically download the binary.
  • Unzip binary file.
  • Create a bin folder in your h drive.
  • Move the saml2aws.exe file into the bin folder.

saml2aws can be used in Powershell; you can also use it via Git Bash if you have that installed on your VDI (submit SN request to have the added if needed.)

Git Bash-Specific Installation

  • unzip saml2aws binary, copy to H:/bin folder (available in VDI)
  • add /h/bin to your PATH: export PATH=/h/bin:$PATH in .bashrc

Usage

Configure credentials

For Git Bash

# in .bash_profile:

export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
export AWS_CONFIG_FILE=~/.aws/config

Configure saml2aws to work with GSA

  • Run saml2aws configure, then set options:
    • providers = browser
    • AWS Profile = saml (or whatever AWS profile name is desired)
    • URL = https://aws.helix.gsa.gov
    • Username - enter username if desired (not required)
    • Password - do not enter password

Login with created profile or IDP account

  • Run saml2aws- login --credential-process

    • confirm/set Username
    • press enter for password, do not need to enter here

  • This will open up a popup browser. Enter your GSA FCS login info.

  • Upon successful authentication, the terminal will display all AWS roles your account has access to.

Use AWS CLI/SDK

After successfully authentication, the temporary credentials can be used via specifying the profile.

For example:

aws s3 ls --profile saml

References

For more options, commands and other saml2aws usage information, see https://github.com/Versent/saml2aws#usage

    On this page:
test