How to use Azure AD Account in AWS to manage multiple cloud providers with one identity

In business, it is important to implement the best software, application or provider to reach your different goals like the best quality, few costs or most functions in combination with a service they support your governance. So sometimes it is necessary to use different cloud providers to reach these goals.

But if you need different providers it is not necessary to use different identities or authentications methods. In the next lines, I will describe how you use Amazon Web Services with your Azure Active Directory (Azure AD) credentials.

amazonwebservice

Create an Enterprise Application

If you decide to manage AWS with an Azure AD identity you need to register an enterprise application to authenticate between your Azure AD and AWS IAM.

First you need to log in to portal.azure.com and switch to Azure Active Directory, select “Enterprise applications” and go to “New Application”

2020-02-04 20_46_40-maademotenant - Overview - Azure Active Directory admin center2020-02-04 20_51_01-Enterprise applications - All applications - Azure Active Directory admin center

Now you should see an overview with all applications, use the search box and tip in “AWS”. Select the AWS application and click “create”. After that, we see the application in “all applications” and selecting it.

2020-02-04 20_52_16-Amazon Web Services (AWS) - Azure Active Directory admin center

2020-02-04 20_54_31-Enterprise applications - All applications - Azure Active Directory admin center

Configure the Amazon Web Services Application

After we create the application successfully we need to config it to use the application in AWS for Single-Sign-On. To do this we go to the option “Single sign-on” and select the method SAML.

2020-02-04 21_01_44-Amazon Web Services (AWS) - Single sign-on - Azure Active Directory admin center

AWS needs the SAML claims in a specific format. To set the format automatically we accept the following dialog with “yes”

2020-02-04 21_01_05-Amazon Web Services (AWS) - Single sign-on - Azure Active Directory admin center

Now there is nothing more to do and we can download the Federation Metadata XML

2020-02-04 21_10_01-Amazon Web Services (AWS) - Single sign-on - Azure Active Directory admin center

 

Setup AWS for Single Sign-On with Azure AD

To setup the single sign-on in AWS we make the following tasks:

  • configure an identity provider with Federation Metadata XML
  • Create a new role in AWS

configure an identity provider with Federation Metadata XML

It is easy to create a new identity provider in AWS with an XML. Login with your global Admin in AWS Management (aws.amazon.com) and search for IAM (Identity and Access Management) 2020-02-04 21_18_45-AWS Management Console

I the left menu panel select “Identity provider” and “create provider”. In the next section, you select the “SAML” provider type, give a name and choose the XML file you downloaded from the Azure Portal some steps bevor. Verify all data and create the provider.

 

Create a new role in AWS

The role is an important function to control what can users do from this provider (in this case users from Azure AD). To learn more about Role Based Access you can start with Wikipedia.

To create a role is easy. Select “role” from the left panel and follow the instructions.

This slideshow requires JavaScript.

Which permissions you use is your decision. In my case, I start with the Administrators permission to test the environment. In a production environment, it is not recommended to use the Admin permission by default 😉

Last but not least we save informations to create a role in Azure AD (copy it to a notepad):

  • Role ARN
  • Trusted entities

Create Azure AD Role

To set a new role in AWS Enterprise Application we need the Graph API and the Graph Explorer.

Login with your Azure AD Admin Account an set permissions to modify

 

To get information about your Enterprise Application we are searching for the ServicePrincipal with the ObjectId. To find the ObjectId switch in the overview of your application

2020-02-04 21_50_55-Amazon Web Services (AWS) - Overview - Azure Active Directory admin center

Run the get query to view all information about the application (use your objectID)

2020-02-04 21_53_15-Graph Explorer - Microsoft Graph

Now we patch the application with the following request body. It is important to change the value of with your Role ARN and Trusted entities data! Feel free to edit the description and displayname of “Admin,AWSAdmin”

{
“appRoles”: [
{
“allowedMemberTypes”: [
“User”
],
“description”: “msiam_access”,
“displayName”: “msiam_access”,
“id”: “7dfd756e-8c27-4472-b2b7-38c17fc5de5e”,
“isEnabled”: true,
“origin”: “Application”,
“value”: null
},
{
“allowedMemberTypes”: [
“User”
],
“description”: “Admin,AWSAdmin”,
“displayName”: “Admin,AWSAdmin”,
“id”: “4aacf5a4-f38b-4861-b909-bae023e88dde”,
“isEnabled”: true,
“origin”: “ServicePrincipal”,
“value”: “Role ARN,Trusted entities
} ]
}

Send a request to Graph API

2020-02-04 21_59_38-Graph Explorer - Microsoft Graph

Use and assign the role to one or more users/groups. Maybe you need to refresh your browser to see the new role in your Admin Portal

2020-02-04 22_02_06-Add Assignment - Azure Active Directory admin center

Use the access

The easiest way to test the access is to login to https://myapps.microsoft.com/ with you assigned account an open te AWS APP. After that, you should be redirected to AWS Management. Now you can act as Azure AD user in AWS based on your permissions you assigned at role configuration in AWS configure section.

2020-02-04 22_07_30-Zugriffspanel – Anwendungen2020-02-04 22_07_56-AWS Management Console

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s