Amazon Web Services, Granting access to the AWS Console

How to use Active Directory and Shibboleth to grant access to an AWS account.

AWS accounts configured under our campus contract use Shibboleth as the default login mechanism to the AWS Console.

Shibboleth requires matching configuration in our local Active Directory and within the target AWS account to work:

Active Directory

Shibboleth is configured to search for AD groups named according to the following format:

AWS-<AccountID>-<RoleName>

  1. AccountID: 12-digit AWS account number, provided when the account is provisioned.
  2. RoleName: Arbitrary name for the AWS IAM role that group members will be able to use.
An example: AWS-123456789012-Researchers

Some groups like to name roles based on logical affiliation with the project (Researchers, ITSupport, Admins), while others prefer to grant access according to organizational units (NetworkEngineering, HelpDesk, ApplicationSupport). Either method is acceptable.

AD groups should be Security Groups with a Global context. At present, it's not possible to nest groups, so your AD group must be populated with people.

Once your group is in place, you can create the corresponding AWS role:

Amazon Web Services

Note: When your account is initially provisioned, this step will be handled by our AWS account management team.

  1. From the AWS Console, navigate to IAM, then select Roles from the left-column menu.
  2. Click the Create Role button at the top of the page.
  3. Select Saml 2.0 federation as the type of trusted entity.
  4. Select shibboleth.illinois.edu as the SAML provider.
  5. Select Allow programmatic and AWS Management Console access and click the blue Next: Permissions button.
  6. Find and attach one or more policies, appropriate to the function of the role. By default, roles have no access, so you must grant appropriate access. Click Next: Review.
  7. Enter the role name which matches the RoleName portion of your AD group name (including capitalization), click Create role.
Once AD and AWS are both configured, users should be able to login to the role via aws.illinois.edu.



Keywords:AWS Shibboleth   Doc ID:71883
Owner:Chris K.Group:University of Illinois Technology Services
Created:2017-03-20 13:33 CSTUpdated:2017-10-30 12:27 CST
Sites:University of Illinois Technology Services
Feedback:  0   0