Federate your Active Directory with the AMS IAM roles
The purpose of federating your directory with the AMS IAM roles is to enable corporate users to use their corporate credentials to interact with the AWS Console and the AWS APIs, and therefore the AMS console and APIs.
Federation process example
This example uses Active Directory Federation Services (AD FS); however, any technology that supports AWS IAM Federation is supported. For more information on AWS-supported IAM federation, see IAM Partners and Identity Providers and Federation. Your CSDM will help you through this process, which involves a joint effort with your AD team and AMS.
For detailed information on integrating SAML for API access, refer to this AWS blog, How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS.
NoteFor an example that installs the AMS CLI and SAML, see Appendix: ActiveDirectory Federation Services (ADFS) claim rule and SAML settings (p. 206).
Configuring federation to the AMS console (SALZ)
The IAM roles and SAML identity provider (Trusted Entity) detailed in the following table have been provisioned as part of your account onboarding. These roles allow you to submit and monitor RFCs, service requests, and incident reports, as well as get information on your VPCs and stacks.
Role Identity
Provider Permissions
Customer_ReadOnly_Role SAML For standard AMS accounts. Allows you to submit RFCs to make changes to AMS-managed infrastructure, as well as create service requests and incidents.
customer_managed_ad_user_role SAML For AMS Managed Active Directory accounts. Allows you to login to the AMS
Federate your Active Directory with the AMS IAM roles
Role Identity
Provider Permissions
Console to create service requests and incidents (no RFCs).
For the full list of the roles available under different accounts see IAM User Role (p. 20).
A member of the onboarding team uploads the metadata file from your federation solution to the pre-configured identity provider. You use a SAML identity provider when you want to establish trust between a SAML-compatible IdP (identity provider) such as Shibboleth or Active Directory Federation Services, so that users in your organization can access AWS resources. SAML identity providers in IAM are used as principals in an IAM trust policy with the above roles.
While other federation solutions provide integration instructions for AWS, AMS has separate instructions.
Using the following blog post, Enabling Federation to AWS Using Windows Active Directory, AD FS, and SAML 2.0, along with the amendments given below, will enable your corporate users to access multiple AWS accounts from a single browser.
After creating the relying party trust as per the blog post, configure the claims rules in the following way:
• NameId: Follow the blog post.
• RoleSessionName: Use the following values:
• Claim rule name: RoleSessionName
• Attribute store: Active Directory
• LDAP Attribute: SAM-Account-Name
• Outgoing Claim Type: https://aws.amazon.com/SAML/Attributes/RoleSessionName
• Get AD Groups: Follow the blog post.
• Role claim: Follow the blog post, but for the Custom rule, use this:
c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-([^d]{12})-"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-([^d]{12})-",
"arn:aws:iam::$1:saml-provider/customer-readonly-saml,arn:aws:iam::$1:role/"));
When using AD FS, you must create Active Directory security groups for each role in the format shown in the following table (customer_managed_ad_user_role is for AMS Managed AD accounts only):
Group Role
AWS-[AccountNo]-Customer_ReadOnly_Role Customer_ReadOnly_Role
AWS-[AccountNo]-customer_managed_ad_user_role customer_managed_ad_user_role
For further information, see Configuring SAML Assertions for the Authentication Response.
TipTo help with troubleshooting, download the SAML tracer plugin for your browser.
Federate your Active Directory with the AMS IAM roles
Submitting the federation request to AMS
If this is your first account, work with your CSDM(s) and/or Cloud Architect(s) to provide the metadata XML file for your identity provider.
If you are onboarding an additional account or Identity Provider and have access to either the management account or the desired application account, follow these steps.
1. Create a service request from the AMS console, provide the details necessary to add the identity provider:
• AccountId of the account where the new identity provider will be created.
• Desired identity provider name, if not provided, the default will be customer-saml; typically, this must match the settings configured in your federation provider.
• For existing accounts, include whether the new identity provider should be propagated to all existing console roles or provide a list of roles that should trust the new identity provider.
• Attach the metadata XML file exported from your federation agent to the service request as a file attachment.
2. From the same account where you created the service request, create a new RFC using CT-ID ct-1e1xtak34nx76 (Management | Other | Other | Create) with the following information.
• Title: "Onboard SAML IDP <Name> for Account <AccountId>".
• AccountId of the account where the identity provider will be created.
• Identity provider name.
• For Existing Accounts: Whether the identity provider should be propagated to all existing console roles, or the list of roles which should trust the new identity provider.
• Case ID of service request created in Step 1, where the metadata XML file is attached.
Verify console access
Once you are set up with ADFS, and have the AMS URL to use for authentication, follow these steps.
With an Active Directory Federated Service (ADFS) configuration, you can follow these steps:
1. Open a browser window and go to the sign in page provided to you for your account. The ADFS IdpInitiatedSignOn page for your account opens.
2. Select the radio button next to Sign in to one of the following sites. The Sign in site picklist becomes active.
3. Choose the signin.aws.amazon.com site and click Sign in. Options for entering your credentials open.
4. Enter your CORP credentials and click Sign in. The AWS Management Console opens.
5. Paste into the location bar the URL of the AMS console and press Enter. The AMS console opens.
Verify API access
AMS uses the AWS API, with some AMS-specific operations that you can read about in the AMS API Reference.
AWS provides several SDKs that you can access at Tools for Amazon Web Services. If you don’t want to use an SDK, you can make direct API calls. For information on authentication, see Signing AWS API Requests. If you are not using an SDK, or making direct HTTP API requests, you can use the AMS CLIs for Change Management (CM) and SKMS.
Federate your Active Directory with the AMS IAM roles
Install the AMS CLIs
See Appendix: ActiveDirectory Federation Services (ADFS) claim rule and SAML settings (p. 206) for an example of installing the CLI to use with SAML.
NoteYou must have administrator credentials for this procedure.
The AWS CLI is a prerequisite for using the AMS CLIs (Change Management and SKMS).
1. To install the AWS CLI, see Installing the AWS Command Line Interface, and follow the appropriate instructions. Note that at the bottom of that page there are instructions for using different installers, Linux, MS Windows, macOS, Virtual Environment, Bundled Installer (Linux, macOS, or Unix).
After the installation, run aws help to verify the installation.
2. Once the AWS CLI is installed, to install or upgrade the AMS CLI, download either the AMS AMS CLI or AMS SDK distributables zip file and unzip. You can access the AMS CLI distributables through the Documentation link in the left nav of the AMS console, or ask your cloud service delivery manager (CSDM) to send you the zip file.
3. The README file provides instructions for any install.
Open either:
• CLI zip: Provides the AMS CLI only.
• SDK zip: Provides all of the AMS APIs and the AMS CLI.
For Windows, run the appropriate installer (only 32 or 64 bits systems):
• 32 Bits: ManagedCloudAPI_x86.msi
• 64 Bits: ManagedCloudAPI_x64.msi
For Mac/Linux, run the file named: MC_CLI.sh by running this command: sh MC_CLI.sh. Note that the amscm and amsskms directories and their contents must be in the same directory as the MC_CLI.sh file.
4. If your corporate credentials are used via federation with AWS (the AMS default configuration) you must install a credential management tool that can access your federation service. For example, you can use this AWS Security Blog How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS for help configuring your credential management tooling.
5. After the installation, run aws amscm help and aws amsskms help to see commands and options.