Name: aws-saml-adfs-cmdlet-sample
Owner: Amazon Web Services - Labs
Owner: AWS Samples
Description: Reference module that obtains and sets temporary AWS security credentials in a Windows PowerShell session using SAML and AD FS.
Created: 2015-11-23 17:48:43.0
Updated: 2017-07-23 01:52:06.0
Pushed: 2017-02-25 22:18:34.0
Size: 24
Language: C#
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A reference Windows PowerShell module that obtains and sets temporary AWS security credentials in a Windows PowerShell session using SAML and AD FS. The code can be adapted for use in any C# .NET application.
To use the cmdlet, you must have:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe .\AWSSAMLCredentials\AWSSAMLCredentials.sln /p:Configuration=Release
Import-Module .\AWSSAMLCredentials\ClassLibrary1\bin\Release\AWSSAML.dll
Now, let's look at how we authenticate with the AD FS identity provider to obtain temporary AWS credentials. Using the AWSSAMLCredentials
cmdlet, we can interactively provide Windows Active Directory credentials and then select an AWS role to which the user has access.
When running the Set-AWSSAMLCredentials
cmdlet be sure to replace the example AD FS hostname with your own actual AD FS hostname.
Set-AWSSAMLCredentials -IdentityProviderUrl "https://**adfs.example.com**/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -UseCurrentCredentials $false
name: adminaduser
word: ************
in: example.com
se choose the role you would like to assume:
ction: 0
Rather than typing your Windows credentials every time, the Set-AWSSAMLCredentials
cmdlet can obtain temporary AWS credentials using your existing Active Directory credentials.
Set-AWSSAMLCredentials -IdentityProviderUrl "https://**adfs.example.com**/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -UseCurrentCredentials $true
se choose the role you would like to assume:
ction: 0
To obtain temporary AWS credentials non-interactively, the RoleIndex
parameter can be used to select an AWS role. In the following command, we obtain temporary credentials by using one of the roles you have pre-configured in AD FS (such as the ADFS-Production
role [item 0 in the list above]).
Set-AWSSAMLCredentials -IdentityProviderUrl "https://**adfs.example.com**/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -RoleIndex 0
Now let's use the temporary AWS credentials obtained by using the Set-AWSSAMLCredentials
cmdlet to interact with AWS service APIs.
Example 1: In this example, we will list all the available Amazon S3 buckets in the AWS account of the role we have assumed. This is a common task for administrators managing S3 from the Windows PowerShell command line.
> Get-S3Bucket
ationDate BucketName
--------- ----------
5/2013 3:16:56 AM mybucket1
5/2015 12:46:50 AM mybucket2
5/2015 6:15:53 AM mybucket3
2/2015 11:20:16 PM mybucket4
Notice how we didn't need to provide credentials when we called Get-S3Bucket
cmdlet. Running the Set-AWSSAMLCredentials
cmdlet has made temporary credentials available to the AWS Tools for Windows in the current PowerShell session. These credentials will expire after 1 hour. When the credentials expire, the Windows PowerShell module can be rerun to refresh the credentials without any user interaction. Note that I have again selected the role using the RoleIndex
parameter.
Set-AWSSAMLCredentials ?IdentityProviderUrl "https://**adfs.example.com**/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -UseCurrentCredentials $true ?RoleIndex 0
Example 2: Now let's list all Amazon EC2 instances in the Sydney region. You may want to do this to get a list of all the EC2 instances in the region in order to manage your EC2 fleet.
(Get-Ec2Instance ?Region ap-southeast-2).Instances | Select InstanceType, @{Name="Servername";Expression={$\_.tags | where key -eq "Name" | Select Value -Expand Value}}
tanceType Servername
--------- ----------
small DC2
micro NAT1
micro RDGW1
micro RDGW2
micro NAT2
small DC1
micro BUILD
This sample application is distributed under the Apache License, Version 2.0.