In this post, I will describe, step-by-step, how to use your existing Office365 credentials to login to your AWS account, and how to assign AWS permissions to your current Office 365 users. I’m assuming you already have (1) an Office 365 subscription and (2) an AWS account.
1. Login to Azure Active Directory
a) In Office 365, click on the dots in the corner and select Admin.
b) Select Azure Active Directory under Admin Centers
c) In the Azure Portal, select Azure Active Directory. Alternatively, you can type https://aad.portal.azure.com/ in your browser to access the Azure Active Directory directly.
2. Create an AWS entreprise app
a) Select Entreprise applications in the left menu
b) Click on + New Application in the main panel
c) Type Amazon Web Services under “Add from the gallery” then select Amazon Web Services (AWS)
d) Click on Add
3. Download the metadata XML
a) Click on 2. Set up single sign on
b) Select SAML as the authentication method
c) Under 3. SAML Signing Certificate, click on Federation Metadata XML > Download and save the file as metadata.xml
4. Create user roles in AWS
For this demonstation, we will create a azure.admin role with full administrator permission, and a azure.reader role with view only permission. Feel free to different roles with other permissions as you see fit.
a) Login in to AWS and navigate to IAM
b) In the left menu, click on Identity Providers
c) Click on Create Provider, select SAML as the provider type, enter any name, and select metadata.xml for the metadata document. Then click Next Step and Create
d) In the left menu, select Roles, then Create role. For our admin role, we would select SAML 2.0 federation, and the provider created in step c) with Programmatic and console access. Then Next:Permissions, select AdministratorAccess, then Next:Tags, then Next:Review. Finally we name the role as azure.admin and select Create role.
e) For our reader role, we create another role with SAML 2.0 federation, Programmatic and console access, the ViewOnlyAccess policy, and we name the role azure.reader.
5. Create AzureAAD user to download roles
a) In IAM, select Users in the left menu, then Add User
b) Enter AzureAAD as the user name, and select Programmatic Access. Click Next:Permissions, then Next:Tags, then Next:Review, and finally Create user. You should receive a warning that this user has no permissions.
c) Copy the Access key ID, and the Secret access key shown after creating the user.
d) Go back to IAM > Users > AzureAAD, then click on the Permissions tab, and + Add Inline Policy. In the JSON tab, copy the following policy, then click Review Policy, name the policy AzureAAD.Policy and click Create Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "*"
}
]
}
6. Configure Azure Provisioning
a) In Azure Active Directory > Enterprise Applications > Amazon Web Services, click on Provisioning, and on Get Started.
b) Select Automatic as the Provisioning Mode, then enter the Access key ID and secret access key from the AzureAAD user as the clientsecret and secret token. Click on Test Connection to validate the credentials. Finally click on Save.
c) Click on Provisioning in the left menu, then select Start Provisioning.
d) After several minutes, you should see roles being imported. If this doesn’t work, edit the provisioning and toggle the status to Off, then On, then click refresh.
7. Assign roles to users
a) In Azure Active Directory > Enterprise Applications > Amazon Web Services, click on Users and groups, and then on +Add user.
b) Select the user who can logged in to AWS and one of the role the user can assume. To add another role to the same user, click on add user again and select the second role.
Note: If you only see the Default Access role, try adding yourself as the application owner and disable/re-enable the provisioning, and refresh its status. It can take several minutes for it to work. Don’t forget to remove yourself as an application owner afterwards.
8. Login using the AWS Icon
a) Assigned user should be able to login using the AWS icon on their dashboard
b) If multiple roles have been assigned to them, they should have a menu to decide which role to assume when they login.
