Tom's IT Blog - Share and Learn

In my last article, I discussed the steps to setup AWS SSO  through Azure AD. By using Azure AD app roles, we are able to use our Azure AD accounts to access AWS Console. But with this measure, you will find there is no option in AWS IAM to generate Access Key and Secrete for CLI and API access. Fortunately, we are not the only ones out there have this problem. David T Johnson faced the same issue and he is kind and smart enough (unlike me) to create a tool to address this issue. The tool source code can be found on Github  https://github.com/dtjohnson/aws-azure-login The tool is written in Node.Js. So if you don't have Node, the first thing will be to install Node from https://nodejs.org/en/ . After that simply follow the installation instructions to get the tool going.  The example show here is tested from Windows 10.  Before start, log into Azure portal to get Azure Tenant ID and the AWS SSO App ID. The tenant ID can be found in Properties section of Azure A

As organization acquires more AWS accounts, it becomes quite a challenge for IT to manage the access to all those accounts. Instead of dealing with individual IAM accounts across multiple accounts. We need an identity solution to simplify the user access provision and removal process. AWS itself offers a service called AWS SSO, which allows integrate AWS access with on premise AD through SAML. However, the service does incur charges and will require provision of an AD Connect appliance in AWS, if you don't already have ADFS in place(Yes, it has the same name as Azure AD Connect). Instead of AWS SSO, in this article I will talk about how you can setup Azure AD as the sole IDP for all your AWS accounts through SAML. Azure AD as the core of Office 365 services is widely used across businesses these days. In a lot cases, organization has their on premise AD forests synced with Azure AD. This allows you to manage AWS access from on premise tools like ADUC. It also means you