The Federated Login tool for the AWS CLI does not work natively on Windows. However, this workaround will provide you with access to it.  This process for initial setup takes 30 - 60 minutes to complete.

Installation

To install the Federated Login tool for the AWS CLI on Windows requires the following:

  • Windows 10 version 1709 or higher
  • Administrator permissions on your system
  • Enabling Windows Subsystem for Linux
  • Installing Ubuntu 18.04 from the Windows Store (this does not replace Windows with Linux and will not harm your system)

If you already have the Windows Subsystem for Linux installed and were using it with the AWS CLI, please note that this tool uses the "default" user in your aws credentials file. If you have an existing entry labeled "default", this tool will overwrite it.

For information on how to enable and configure Windows Subsystem for Linux, you can follow the directions here: https://docs.microsoft.com/en-us/windows/wsl/install-win10.  After the subsystem has been installed, the installation of  Ubuntu can be done via the Windows Store.  When the Windows Store opens to the Ubuntu page, first click the "Get" button.

Then, when the download is complete, click the Launch button

And you will see the installation taking place over the next few minutes

Once you have enabled Windows Subsystem for Linux and installed Ubuntu 18.04 from the Windows Store, you can proceed with these instructions: https://docs.microsoft.com/en-us/windows/wsl/initialize-distro.  DO NOT SKIP THE "UPDATE & UPGRADE YOUR DISTRO'S PACKAGES" STEP!!

With Ubuntu 18.04 initialized, you'll be ready to install the packages required on Linux:

sudo apt install python3-pip
sudo pip3 install awscli

sudo pip3 install awscli-login

Configuration

With those packages installed, we can configure the AWS CLI plugin. Run the following:

aws configure set plugins.login awscli_login

Finally, you must configure the plugin:

aws login configure

You will be prompted with a few questions:

ECP Endpoint URL [None]:  https://idp.uiowa.edu/idp/profile/SAML2/SOAP/ECP
Username [None]:  <type your HawkID here>
Enable Keyring [False]:  <leave this blank and hit Enter>
Duo Factor [None]:  push
Role ARN [None]:  <leave this blank and hit Enter>

With the plugin configured, you need to tell the AWS CLI which region to use.

aws configure

You will be prompted for the following:

AWS Access Key ID [None]:  <leave this blank and hit Enter>
AWS Secret Access Key [None]:  <leave this blank and hit Enter>
Default region name [None]:  us-east-1
Default output format [None]:  json

This completes the installation.

Using the CLI

To use the Federated CLI type the following command in the Ubuntu window:

aws login

You will be prompted for your password, which will be your HawkID password. After that, you will get a prompt on your phone from Duo. Once you've acknowledged the Duo message you'll see a list of accounts and roles (if you have more than one). Make a selection and you will be logged in to AWS. From here you can use the AWS CLI like you normally would (aws ec2 list-instances, etc). After that you will need to log in again.

Common questions:

After I log in, how long will my session last?

Your session will be good for about 8 hours.

I'm logged in, but I need to switch to another account.  How do I do that?

Type 'aws logout' and then type 'aws login'.  Enter your credentials again (if needed) and choose the new role or account you'd like to use.

Why can't I see the account name in the list of options?  I have a lot of accounts and I don't have the numbers memorized.

This is, unfortunately, a shortcoming of the tool and how it works. The account "name" isn't available until you're authenticated with AWS and the option to choose which role/account comes before this step. There are discussions around how to overcome this, but for now there is not a good option.