Amazon Web Services, Granting access to the AWS Console

How to use Active Directory and Shibboleth to grant access to an AWS account.

AWS accounts configured under our campus contract use Shibboleth as the default login mechanism to the AWS Console.

Shibboleth requires matching configuration in our local Active Directory and within the target AWS account to work:

Active Directory

Shibboleth is configured to search for AD groups named according to the following format:

AWS-<AccountID>-<RoleName>

  1. AccountID: 12-digit AWS account number, provided when the account is provisioned.
  2. RoleName: Arbitrary name for the AWS IAM role that group members will be able to use.
An example: AWS-123456789012-Researchers

Some groups like to name roles based on logical affiliation with the project (Researchers, ITSupport, Admins), while others prefer to grant access according to organizational units (NetworkEngineering, HelpDesk, ApplicationSupport). Either method is acceptable.

AD groups should be Security Groups with a Global context. At present, it's not possible to nest groups, so your AD group must be populated with people.

Once your group is in place, you can create the corresponding AWS role:

Amazon Web Services

Note: When your account is initially provisioned, this step will be handled by our AWS account management team.

  1. From the AWS Console, navigate to IAM, then select Roles from the left-column menu.
  2. Click the Create New Role button at the top of the page.
  3. Select Role for Identity Provider Access, then select Grant Web Single Sign-On (WebSSO) access to SAML providers.
  4. Verify that shibboleth.illinois.edu is selected as your SAML Provider and click Next Step.
  5. No changes are needed for the role trust. Click Next Step.
  6. Find and attach a policy. By default, roles have no access, so you must grant appropriate access. Click Next Step.
  7. Enter the role name which matches the RoleName portion of your AD group name (including capitalization), click Create role.
Once AD and AWS are both configured, users should be able to login to the role via aws.illinois.edu within a minute.



Keywords:AWS Shibboleth   Doc ID:71883
Owner:Chris K.Group:University of Illinois Technology Services
Created:2017-03-20 14:33 CDTUpdated:2017-05-25 13:36 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0