Authentication

explains how to access AWS environments using SSO

AWS

Configure SSO

aws configure sso

SSO session name (Recommended): saritasa/v2/administrators
SSO start URL [None]: https://saritasa.awsapps.com/start
SSO region [None]: us-west-2
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

LWGS-RVJX
There are 3 AWS accounts available to you.
Using the account ID 965067289393
There are 2 roles available to you.
Using the role name "saritasa-administrators-role"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [saritasa-administrators-role-965067289393]: saritasa/v2/administrators

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile saritasa/v2/administrators

then modify your ~/aws/profile and change profile saritasa-administrators-role-965067289393 to match the following. Change it’s name saritasa/v2/administrators and include credential_process as shown below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[profile saritasa/v2/administrators]
sso_session=saritasa/v2/administrators
sso_account_id=965067289393
sso_role_name=saritasa-administrators-role
region=us-west-2
output=json
credential_process=aws-vault exec saritasa/v2/administrators --json

[sso-session saritasa/v2/administrators]
sso_start_url=https://saritasa.awsapps.com/start
sso_region=us-west-2
sso_registration_scopes=sso:account:access

test quickly


aws configure list --profile saritasa/v2/administrators
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile saritasa/v2/administrators           manual    --profile
access_key     ****************QWN6              sso
secret_key     ****************7aYT              sso
    region                us-west-2      config-file    ~/.aws/config

Update ~/.aws/config

Update configuration file ~/.aws/config and include the following profiles:

[profile igaawi/sso/administrators]
role_session_name=<YourFullName>=root
region=us-west-2
role_arn=arn:aws:iam::113727184156:role/saritasa-sso-administrators-role
source_profile=saritasa/v2/administrators

[profile igaawi/sso/prod/administrators]
role_session_name=<YourFullName>=prod
region=us-west-2
role_arn=arn:aws:iam::187528943262:role/saritasa-sso-administrators-role
source_profile=saritasa/v2/administrators

Environments

Root

Account#: 113727184156

This account is not supposed to run any workload for any of the environments. However this account may and should be used for backup replication, such as S3 buckets, db backups etc.

Access Command
aws gui aws-vault login igaawi/sso/administrators
aws cli aws-vault exec igaawi/sso/administrators
aws exec aws-vault exec igaawi/sso/administrators -- aws s3 ls
aws exec aws s3 ls --profile igaawi/sso/administrators

Production

Account#: 187528943262

Access Command
aws gui aws-vault login igaawi/sso/prod/administrators
aws cli aws-vault exec igaawi/sso/prod/administrators
aws exec aws-vault exec igaawi/sso/prod/administrators -- aws s3 ls
aws exec aws s3 ls --profile igaawi/sso/prod/administrators