In business, it is important to implement the best software, application or provider to reach your different goals like the best quality, few costs or most functions in combination with a service they support your governance. So sometimes it is necessary to use different cloud providers to reach these goals.
But if you need different providers it is not necessary to use different identities or authentications methods. In the next lines, I will describe how you use Amazon Web Services with your Azure Active Directory (Azure AD) credentials.
Create an Enterprise Application
If you decide to manage AWS with an Azure AD identity you need to register an enterprise application to authenticate between your Azure AD and AWS IAM.
First you need to log in to portal.azure.com and switch to Azure Active Directory, select “Enterprise applications” and go to “New Application”
Now you should see an overview with all applications, use the search box and tip in “AWS”. Select the AWS application and click “create”. After that, we see the application in “all applications” and selecting it.
Configure the Amazon Web Services Application
After we create the application successfully we need to config it to use the application in AWS for Single-Sign-On. To do this we go to the option “Single sign-on” and select the method SAML.
AWS needs the SAML claims in a specific format. To set the format automatically we accept the following dialog with “yes”
Now there is nothing more to do and we can download the Federation Metadata XML
Setup AWS for Single Sign-On with Azure AD
To setup the single sign-on in AWS we make the following tasks:
- configure an identity provider with Federation Metadata XML
- Create a new role in AWS
configure an identity provider with Federation Metadata XML
It is easy to create a new identity provider in AWS with an XML. Login with your global Admin in AWS Management (aws.amazon.com) and search for IAM (Identity and Access Management)
I the left menu panel select “Identity provider” and “create provider”. In the next section, you select the “SAML” provider type, give a name and choose the XML file you downloaded from the Azure Portal some steps bevor. Verify all data and create the provider.
Create a new role in AWS
The role is an important function to control what can users do from this provider (in this case users from Azure AD). To learn more about Role Based Access you can start with Wikipedia.
To create a role is easy. Select “role” from the left panel and follow the instructions.
Which permissions you use is your decision. In my case, I start with the Administrators permission to test the environment. In a production environment, it is not recommended to use the Admin permission by default 😉
Last but not least we save informations to create a role in Azure AD (copy it to a notepad):
- Role ARN
- Trusted entities
Create Azure AD Role
To set a new role in AWS Enterprise Application we need the Graph API and the Graph Explorer.
Login with your Azure AD Admin Account an set permissions to modify
To get information about your Enterprise Application we are searching for the ServicePrincipal with the ObjectId. To find the ObjectId switch in the overview of your application
Run the get query to view all information about the application (use your objectID)
Now we patch the application with the following request body. It is important to change the value of with your Role ARN and Trusted entities data! Feel free to edit the description and displayname of “Admin,AWSAdmin”
“value”: “Role ARN,Trusted entities“
Send a request to Graph API
Use and assign the role to one or more users/groups. Maybe you need to refresh your browser to see the new role in your Admin Portal
Use the access
The easiest way to test the access is to login to https://myapps.microsoft.com/ with you assigned account an open te AWS APP. After that, you should be redirected to AWS Management. Now you can act as Azure AD user in AWS based on your permissions you assigned at role configuration in AWS configure section.