These directions work for MacOS and Linux. Windows directions can be found here: How to install the Federated Login tool for the AWS CLI on Windows.

To install the Federated Login tool for the AWS CLI you first must install the AWS CLI v1. This will not work if you install AWS CLI v2. You can do so following the directions here: It is important that you use Python 3.4 or higher. Note that the default Python installation on MacOS is 2.7.

Please note that this tool uses the "default" user in your aws credentials file. If you have an existing entry labeled "default" this tool will overwrite it.

After you have installed the AWS CLI you need to install the Federated Login plugin. To do this enter the following commands:

pip3 install awscli-login --user

aws configure set plugins.login awscli_login

Finally, you must configure the plugin:

aws login configure

You'll be prompted with a few questions:

For ECP Endpoint URL use:

For Username enter your HawkId

Leave "Enable Keyring" blank to choose the default (False)

For Duo Factor enter "push" (without the quotes)

Leave "Role ARN" blank to choose the default (False)


To use the Federated CLI type:

aws login

You'll be prompted for your password, which will be your HawkID password. After that, you will get a prompt on your phone from Duo. Once you've acknowledged the Duo message you'll see a list of accounts and roles (if you have more than one). Make a selection and you will be logged in to AWS. From here you can use the AWS CLI like you normally would (aws ec2 list-instances, etc). After that you will need to log in again.


Common questions:

How long will I be logged in for?

Your session will be good for about 8 hours.

I'm logged in, but I need to switch to another account. How do I do that?

Type 'aws logout' and then type 'aws login'. Enter your credentials again (if needed) and choose the new role or account you'd like to use.

Why can't I see the account name in the list of options? I have a lot of accounts and I don't have the numbers memorized.

This is, unfortunately, a shortcoming of the tool and how it works. The account "name" isn't available until you're authenticated with AWS and the option to choose which role/account comes before this step. There are discussions around how to overcome this, but for now there is not a good option.

I'm getting an error that my default region isn't set. How do I fix that?

This is likely happening because you haven't used the AWS CLI before. Run "aws configure", leave "AWS Access Key ID" and "AWS Secret Access Key" with the default values, set "Default region name" to "us-east-1" without the quotes, and the "Default output format" to "json" without the quotes.