AWS/Azure AD – You use Azure AD for authentication when accessing AWS

As many customer, you may be running resources on multiple cloud providers, like Azure and AWS.

You can now use Azure AD (and the additional AAD capabilities like conditional access and/or MFA) for authentication when accessing AWS console.

With this integration you will also be able to provision AWS roles to your Azure AD.

The high level steps to implement AWS SSO with Azure AD are:

  • Register an Azure AD Enterprise application
  • Implement SSO
  • Enable provisioning

To register the Azure AD application, logon to your Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) and access the Azure AD blade

image

Then access the Enterprise applications blade

image

Then click on New application and select Amazon Web Services (AWS) and then click on Create to provision the Azure AD AWS application

image

Then access the Single Sign On blade to configure SSO

image

Select the SAML SSO option

image

The SAML SSO has been already preconfigured; you can click on Save Single Sign On settings now if you want or choose to do it late

image

Download the SAML metadata (Federation Metadata XML) from the the SAML Signing Certificate section

image

Then logon to you AWS console (https://console.aws.amazon.com/) and access the IAM configuration blade

image

Access the Identity Provider section to create a new provider

image  image

Select SAML as provider type and name your provider (no space authorized) – let say AzureAD – and upload the Federation Metadata file you have downloaded earlier

image

Then go to the Roles section to create a new role for the Identity Provider you just created

image  image

Select SAML 2.0 for the type of trusted entity and select the provider you have created earlier and enable the Allow programmatic and AWS Management console access

image  image

During the next step you can set the permission policies as per your requirements

image

Then you can set tags and finally complete the creation of the role by naming it

image

Now, access the Policies section to create a new policy to fetch all roles from your AWS accounts

image

When creating the new policy, select JSON and copy the below code and complete the creation of the policy

{
     “Version”: “2012-10-17”,
     “Statement”: [
         {
             “Effect”: “Allow”,
             “Action”: [
             “iam:ListRoles”
             ],
             “Resource”: “*”
         }
     ]
}

image

Then access the Users blade to create user account for the user account provisioning

image

When creating the user account select Programmatic Access

image

Assign the permission policy you just have created and complete the user creation process

image

Once the user is created copy the values for the Acces key ID and Secret access key to save it into the Azure AD application provisioning section

image

Go back to your AWS Azure AD application to access the Provisioning blade

image

Select Automatic provisioning and paste the Access key and secret from your AWS user

image

You are good to go.

Leave a Comment

Your email address will not be published.