AD authentication to AWS from PowerShell

I’ve done a couple of other posts on using AD credentials with AWS API.  You setup AWS IAM to trust AD Federation Services (ADFS) for authentication. You get temporary access keys to use with the AWS API. This is safer than making lots of IAM accounts with long term passwords (Secret Access Keys) that end up embedded in code and stored who knows where. See previous posts for an overview of AD authentication to AWS http://www.alexmags.com/infra/tags/adfs/

Amazon have now made scripting against AWS easier with a couple of new commandlets in the latest AWS PowerShell Tools.  Works great and you no longer have to worry about the temporary credentials expiring during long running tasks.

http://blogs.aws.amazon.com/security/post/Tx2EIWSEN95QD0B/How-to-Set-Up-Federated-API-Access-to-AWS-by-Using-Windows-PowerShell


# Testing based on:
# https://blogs.aws.amazon.com/net/post/Tx2PI5SQTDMAHQR/New-Support-for-Federated-Users-in-the-AWS-Tools-for-Windows-PowerShell
# http://blogs.aws.amazon.com/security/post/Tx2EIWSEN95QD0B/How-to-Set-Up-Federated-API-Access-to-AWS-by-Using-Windows-PowerShell

# Build URL to ADFS server (assuming ADFS server hostname is ADFS and we're in same DNS domain
$domain=(Get-WmiObject Win32_ComputerSystem).Domain
$endpointURL = "https://adfs.$domain/adfs/ls/idpinitiatedsignon?loginToRp=urn:amazon:webservices"

# first configure the endpoint that one or more role profiles will reference. Negotiate will authenticate with ADFS via Kerberos if possible but can fallback to NTLM in the case of double hop (eg a scheduling running a task using a service account)
$epName=Set-AWSSamlEndpoint -Endpoint $endpointURL -StoreAs "adfs" -AuthenticationType Negotiate

# if the user can assume multiple roles, this creates one profile per role using the role name for the profile name
Set-AWSSamlRoleProfile -EndpointName $epName -StoreAllRoles

# Select the IAM role we want to run under (ADFS-Operations)
Set-AWSCredentials -ProfileName ADFS-Operations

# From here on you're good to go

# If you need to, enable windows authentication with your Internet proxy (so AWS SDK can connect out to AWS API)
$webClient = new-object System.Net.WebClient
$webClient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$webClient.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials

# Connect to API and reveal current API key (this will automatically rotate regularly)
$awscreds=Get-AWSCredentials
$awsCreds.GetCredentials()

Leave a Reply