Skip to content

Using Global SSO to Login China AWS Accounts

使用 global sso 登录中国区 aws 账号,同时实现使用命令行操作。

walkthrough

use identity center directory as identity source

  • create application External AWS Account Application from sso Applications
    global-sso-and-china-aws-accounts-png-1.png

  • download IAM Identity Center SAML metadata file

  • create identity provider in aws china account
    global-sso-and-china-aws-accounts-png-2.png

  • create role for SAML 2.0 federation in aws china account, and assign policy to it
    global-sso-and-china-aws-accounts-png-3.png

  • back to create application page, review application metadata

    • using https://signin.amazonaws.cn/saml
    • original is https://signin.aws.amazon.com/saml
      global-sso-and-china-aws-accounts-png-4.png

  • create application

  • edit attribute mappings for this application, ensure following two field existed
Field Value Format
https://aws.amazon.com/SAML/Attributes/Role arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME unspecified
https://aws.amazon.com/SAML/Attributes/RoleSessionName must match [a-zA-Z_0-9+=,.@-]{2,64} unspecified

../git-attachment/global-sso-and-china-aws-accounts-png-5.png

  • assign user to application and login
    • find login url from sso dashboard or reset user’s password
      global-sso-and-china-aws-accounts-png-6.png|400

use managed AD as identity source

  • configure attribute mapping in manage sync in settings
    ../git-attachment/global-sso-and-china-aws-accounts-png-7.png

  • others steps are same

use external IdP as identity source

  • todo

in same organization user and role

  • in multi-account permissions, choose account, and assign user/group to it, assign permission set to it.
  • assume from CLI
    assume 
assume --sso --sso-start-url https://xxx.awsapps.com/start \
    --sso-region ap-southeast-1 \
    --account-id xxx \
    --role-name AWSAdministratorAccess \
    --verbose

refer