The Federated Login tool for the AWS CLI does not work natively on Windows. However, this workaround will provide you with access to it. This process for initial setup takes 30 - 60 minutes to complete.
To install the Federated Login tool for the AWS CLI on Windows requires the following:
- Windows 10 version 1709 or higher
- Administrator permissions on your system
- Enabling Windows Subsystem for Linux
- Installing Ubuntu 18.04 from the Windows Store (this does not replace Windows with Linux and will not harm your system)
If you already have the Windows Subsystem for Linux installed and were using it with the AWS CLI, please note that this tool uses the "default" user in your aws credentials file. If you have an existing entry labeled "default", this tool will overwrite it.
For information on how to enable and configure Windows Subsystem for Linux, you can follow the directions here: https://docs.microsoft.com/en-us/windows/wsl/install-win10. After the subsystem has been installed, the installation of Ubuntu can be done via the Windows Store. When the Windows Store opens to the Ubuntu page, first click the "Get" button.
Then, when the download is complete, click the Launch button
And you will see the installation taking place over the next few minutes
Once you have enabled Windows Subsystem for Linux and installed Ubuntu 18.04 from the Windows Store, you can proceed with these instructions: https://docs.microsoft.com/en-us/windows/wsl/initialize-distro. DO NOT SKIP THE "UPDATE & UPGRADE YOUR DISTRO'S PACKAGES" STEP!!
With Ubuntu 18.04 initialized, you'll be ready to install the packages required on Linux:
sudo apt install python3-pip
sudo pip3 install awscli
sudo pip3 install awscli-login
With those packages installed, we can configure the AWS CLI plugin. Run the following:
aws configure set plugins.login awscli_login
Finally, you must configure the plugin:
aws login configure
You will be prompted with a few questions:
ECP Endpoint URL [None]: https://idp.uiowa.edu/idp/profile/SAML2/SOAP/ECP
Username [None]: <type your HawkID here>
Enable Keyring [False]: <leave this blank and hit Enter>
Duo Factor [None]: push
Role ARN [None]: <leave this blank and hit Enter>
With the plugin configured, you need to tell the AWS CLI which region to use.
You will be prompted for the following:
AWS Access Key ID [None]: <leave this blank and hit Enter>
AWS Secret Access Key [None]: <leave this blank and hit Enter>
Default region name [None]: us-east-1
Default output format [None]: json
This completes the installation.
Using the CLI
To use the Federated CLI type the following command in the Ubuntu window:
You will be prompted for your password, which will be your HawkID password. After that, you will get a prompt on your phone from Duo. Once you've acknowledged the Duo message you'll see a list of accounts and roles (if you have more than one). Make a selection and you will be logged in to AWS. From here you can use the AWS CLI like you normally would (aws ec2 list-instances, etc). After that you will need to log in again.
After I log in, how long will my session last?
Your session will be good for about 8 hours.
I'm logged in, but I need to switch to another account. How do I do that?
Type 'aws logout' and then type 'aws login'. Enter your credentials again (if needed) and choose the new role or account you'd like to use.
Why can't I see the account name in the list of options? I have a lot of accounts and I don't have the numbers memorized.
This is, unfortunately, a shortcoming of the tool and how it works. The account "name" isn't available until you're authenticated with AWS and the option to choose which role/account comes before this step. There are discussions around how to overcome this, but for now there is not a good option.