AWS CLI Authentication method, AWS Keys or AssumeRoleWithSAML?

1
votes

Currently we are planning to use AWS CLI for variety of use cases. As an I&AM Architect I would like to use our existing Active Directory credentials, rather than creating new IAM users and keys.

We have ADFS as well, and based on the examples given for ADFS integration for AWS CLI, I was able to create PowerShell, Python and Java sample scripts to use AD credentials and use AWS STS to create temporary credentials. It works fine. However, I am facing challenges to make our development teams understand, the benefits of using SAML based authentication rather than permanent keys in AWS CLI.

Fellow architects and developers, I would like to hear from you, how you have implemented AWS CLI authentication in your organization.

1
amazon-web-servicesauthenticationcommand-line-interfaceadfsaws-sts

1 Answers

1
votes

We've integrated ADFS and map IAM roles with AD groups. We simply add users to specific AD groups and they get access to AWS Console by using their AD credentials.

We use saml2aws which allows programmatic access to AWS using the same AD credentials. The best part is it's able to handle RSA as our MFA provider.

User on boarding and off boarding is easy as we don't have to do anything extra outside of AD.

Handing out Permanent access keys is obviously insecure and should be avoided.