Azure-AD integration with AWS for console and Cli access.

                                 

                      AZURE-AD INTEGRATION WITH AWS FOR SEAMLESS CONSOLE 

                                                             AND CLI ACCESS


Hi folks in this documentation let us see how to integrate Azure-AD users with AWS for both console and CLI accesses.

For SOC-2 type of audits it is recommended to provide AWS access to users without sharing the .PEM file of EC2 instances and also giving AWS access to users with Azure-AD is seamless and can be retained whenever the user relieved from the company.

I would recommend Azure-AD SSO for AWS integration instead of going for AWS-SSO since with Azure-AD SSO we can use customised  roles and policies whereas with AWS SSO such customisation is not possible.

AZURE-AD SSO with AWS:

1. In your Microsoft Azure login click on Azure Active Directory.



2. In the manage section select Entireprise application.

3. Then select New application.

4. Search for AWS. You can find AWS SSO application as in the figure and create. You can also customise the name, we are going with AWS_SSO name.



5. Now click on Single sign-on. The first two options Basic SAML configuration and User attributes & claims will be pre-populated if not fill as shown in the figure. If you are using multiple SSO applications then Basic SAML configuration for respective applications should be as

Identifier(Entity ID): https://signin.aws.amazon,.com/saml#2

Reply URL: https://signin.aws.amazon,.com/saml#2  

and so on.





6. SAML sign-in certificate:

In most cases this certificate will also be generated if not you need to create new certificate as below,

Click on add certificate=> New certificate with,

signing option value as: Sign SAML assertion.

Signing algorithm as: SHA-256   and save.

Now make the certificate as active by clicking make certificate active.



Then download the federation metadata XML file and save in your local system.


7.  Now login to your AWS account with admin rights and go to IAM console.

8. Then click on Identity providers=>add provider=>SAML=>give provider name eg. AzureADsso.

9. In the metadata document section select the federation metadata XML we downloaded from Azure and add provider.



10. Then select roles=> create roles=> SAML 2.0 federation and select the SAML provider we just created as shown and select Allow programmatic and AWS Management Console access.


11. Next select existing policy or create your own policy and  attach with this role in the same browser. create as much roles and  attach to the  SAMl federation as per your companies requirement.

12. Now create an IAM policy which we will be attaching to IAM user which will be added to Azure.
Create a policy for IAM as below. Name this policy as AzureAD_SSOUserRole_Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        }
    ]
}


13. Now create an IAM user as AzureADRoleManager and attach AzureAD_SSOUserRole_Policy to it and in the access type select programatic access and download the credentials.

14. Go back to Azure application and select provisioning=>get started=>Mode to automatic.

In the admin credentials give the AzureADRoleManager user's credentials and test connection and save.

15. Then turn on provisioning status to ON and save once again.



16. The provisioning takes some time to get the roles from AWS. If the roles are listed in the provisioning console go ahead and add users in users and groups tab.

Select the users through add-user and appropriate roles and assign.



17. Now test the SSO through the test tab in the application.




18. Now you will be redirected to your AWS console with the attached roles as shown.





19. For CLI access there are two ways.

A.  AWS-AZURE-Login which is an opensource tool you can get from:

https://github.com/sportradar/aws-azure-login 

Prerequest installations for this tool for Ubuntu-18.04.

To install Node.js 12  give below commands.

sudo apt update
sudo apt -y upgrade


sudo apt update
sudo apt -y install curl dirmngr apt-transport-https lsb-release ca-certificates
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
sudo apt -y install nodejs
sudo apt -y  install gcc g++ make

You can check the versions by

$ node --version
v12.10.0

$ npm --version
6.10.3


Then install AWS-Azure login only for current user:

mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
export PATH=~/.npm-global/bin:$PATH
source ~/.profile
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.profile
source ~/.profile

and 

npm install -g aws-azure-login

For Login:

Type:

aws-azure-login

Before that configure it with : aws-azure-login --configure

It will prompt for your Azure details. configure them and select the role attached then you can gain Cli access.

For EC2 instance SSH access using Azure-AD SSO for individual users you have to create and attach the following EC2-instance connect policy to SAML role.

In the place of AWSACCOUNT-ID in Resources replace with your account ID. with this role attached you can easily gain SSH access to EC2 instances for Azure-AD users through AWS-Azure-login.


{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": "ec2-instance-connect:SendSSHPublicKey",

            "Resource": "arn:aws:ec2:us-east-1:AWSACCOUNT-ID:instance/*",

            "Condition": {

                "StringEquals": {

                    "ec2:osuser": [

                        "ragesh"

                    ]

                }

            }

        }

    ]

}


For how to setup Ec2 instance I will write a separate blog.

Please comment for any doubts or errors.



Comments

Post a Comment

Popular posts from this blog

Azure AD login for linux and windows(on premise)

Image
                                  Azure AD login for linux and windows(on premise) In this blog I will explain how to login to your on-premise Linux and windows instances using your Azure AD credentials without any need of on-premise AD. First let us see how to do it in ubuntu: For ubuntu we will be using ADAL for nodejs for implementing this. You can get the code from the git-repo here, https://github.com/thuvarageshchiv/adal-for-linux.git  move to your home directory, $ cd ~ $ git clone https://github.com/thuvarageshchiv/adal-for-linux.git $ cd adal-for-linux/adal-auth-ubuntu/aad-login $ ./install.sh  [NAME of YOUR AZURE ACTIVE DIRECTORY] [APP CLIENT ID] Now before running the script we need details of the Azure AD name and native application client ID. To get your directory name just login to Azure active directory and switch to users and select the user for whom the access is needed. The user name has a mail ID like thuvaragesh@ example.com here example.com is your directory name.
Read more

Ubuntu 18.04 no audio error

                                                                   UBUNTU 18.04 NO AUDIO ERROR     I  am posting the fix which worked for me on Ubuntu 18.04. Permanent fix: sudo apt install alsa-tools-gui Run  hdajackretask Parser hints > jack_detect = no Apply now Install boot override Some times you get error while on Apply now like, /sys/class/soynd/hwC0D2/reconfig: device busy then kill the process like  $ sudo pkill pulseaudio Now reboot.
Read more

How to fix Permission denied (publickey). fatal: Could not read from remote repository

                        Fixing p ermission denied Public key and could not pull from remote repository Sometimes all of a sudden your repository throws an error while pulling, the public key was denied and the could not pull from the repository. To fix this we need to run,    $ eval `ssh-agent -s` [ the -s Generate Bourne shell commands on stdout ] Then run the command         $  ssh-add       which will ask for passphrase and once you gave the passphrase it will add your public key to the ssh agent. Now try to pull from the repository and it should work.
Read more