Skip to main content

Use NetID Authentication with AWS

Command line access to Northwestern-owned Amazon Web Services accounts should only be done via a federated, NetID-based and MFA-protected IAM role. IAM user credentials should not be used for console access. This document outlines the process of authenticating the AWS Command Line Interface (CLI) to use a NetID-based federated login role.

Using AWS IAM Identity Center (AWS SSO)

Northwestern Amazon Web Services accounts are configured to use AWS IAM Identity Center (formerly known as AWS SSO) for federated authentication. This allows you to log in to your AWS web console or authenticate the AWS CLI using your NetID.

 

Using the AWS Access Portal for Web Console Access

Most Northwestern AWS accounts are accessible via the following AWS access portal URL: https://nu-sso.awsapps.com/start.

A small number of Northwestern AWS accounts used by NIH-funded researchers use a separate AWS access portal: https://nu-strides-sso.awsapps.com/start.

After authenticating with your NetID and Duo MFA, you will be presented with a list of the accounts you have access to, and clicking on an account will show you the available roles within each account. Click a role to log into the web console with that role’s permissions. For more information about the AWS access portal, see https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html.

 

Configuring the AWS CLI for NetID Authentication

The AWS CLI has native support for AWS IAM Identity Center via the aws sso subcommand. To get started:

  1. Make sure you are using a recent version of the AWS CLI v2. (2.9.0 or later). See here for installation/upgrade instructions.
  2. In your terminal, run the command aws configure sso and enter the following values:
    SSO session name: nu-sso
    SSO start URL: https://nu-sso.awsapps.com/start (or the NIH STRIDES access portal URL if appropriate, see above)
    SSO region: us-east-2
    SSO registration scopes: Accept the default value of “sso:account:access
  3. A web browser window will appear and you will log in with your NetID and Duo MFA. When prompted, click the “Allow” button. (Note if the web browser does not appear or you are on a machine without a GUI, you can either copy the generated URL and code into a browser manually or re-run the aws configure sso command with the --no-browser flag.)
  4. After authenticating in the browser you will be prompted to choose a role for the current session as well as values for the default region (likely us-east-2), output format (text), and CLI profile name. It is recommended to choose a meaningful profile name that you will remember.
  5. (Optional) If you have access to multiple accounts and/or roles, you can edit the ~/.aws/config file manually and copy the profile that was just created to a new one for each account/role, using the same sso session name for each. In this way you will be able to specify which profile/role to use for each invocation of the aws command without having to re-authenticate each time, as the existing SSO session will be used.
  6. In future sessions after your current session has expired, if you are not prompted to log in automatically when running an AWS CLI command, you can manually log in with the command aws sso login --sso-session nu-sso. The default session length is 4 hours.

For more details about configuring the AWS CLI for AWS IAM Identity Center, see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html.

 

Managing Access to AWS IAM Identity Center Roles

Roles in AWS IAM Identity Center are mapped to Azure AD groups within the Northwestern Azure AD tenant, and membership in a role’s corresponding Azure AD group grants access to the role. In general, groups are owned and managed by the AWS account owner who is responsible for managing access to the group/role.

The Self Service Group Management (Cayosoft) tool is used to manage group access. The group owner can log in to that tool and access the “My Office 365 Groups” link under the Self Service menu item. In that interface all of the groups that a user is owner of are listed. Click on a group name then click the “Membership” link in the right navigation to list, add, or remove group members. For more information, see https://services.northwestern.edu/TDClient/30/Portal/KB/ArticleDet?ID=1750.

If you do not see groups you should be able to manage in this tool, or you need access to a role and there is no group owner available to grant it, email awscloudops@northwestern.edu to request access.