For the last few years I have been using’s aws-okta to do command-line authentication to my AWS environments. The other day I was helping a coworker get setup when I found out that develoment and maintenance for the tool has been halted. The maintainers pointed out another project called saml2aws, so I decided to take a look at it to see if it would be an adequate replacement.

Installing saml2aws

The maintainers of saml2aws provide a tap, so installing it on MacOS was pretty easy.

brew tap versent/homebrew-taps
brew install saml2aws

Installing it on Linux is pretty easy as well, although it takes a few extra commands:

sudo tar -xzvf saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz /usr/local/bin
chmod u+x /usr/local/bin/saml2aws

Configuring saml2aws

Once you have the saml2aws installed, configuring it is easy. To add an Okta authenticated account, you can run the following:

saml2aws configure \
  -a dev \
  --idp-provider=Okta \ \
  --url= \
  --skip-prompt \
  --mfa=OKTA \
  --role=arn:aws:iam::111111111111:role/OWNER \
  --session-duration=43200 \
  -- profile=dev

and for AzureAD (Office365), you can run this:

saml2aws configure \
  -a dev \
  --idp-provider=AzureAD \ \
  --url= \
  --skip-prompt \
  --mfa=Auto \
  --app-id=0f588fd7-90cf-4ae5-9db3-05d8eac2c973 \
  --session-duration=43200 \

If you are running on MacOS, saml2aws can store your password in your keychain, making it easier for you every time you need to get your credentials. On Linux, it will ask you for your password each time.

You can log in to your AWS account by running saml2aws login -a dev. This will get your temporary credentials and add them to the .aws/credentials file. Once you have your credentials, you can set your AWS_PROFILE variable to point to your newly created credentials and you should be good to go.

One thing that I like about saml2aws as compared to aws-okta is that it sets a field in the credentials file that lets me know when the token expires (x_security_token_expires). This is really helpful when spending all day working on a specific task, like writing Terraform or Ansible. I created a little function that sets the profile and puts the expire time in a value called AWS_CREDS_EXPIRE.

s2ap() {
  if [[ -z $1 ]]; then # if you run it with no profile name, it unsets the variables
    unset AWS_PROFILE
    export AWS_CREDS_EXPIRE=$(python3 - "$1" << END
import configparser
import sys
cred_file = "/Users/mark.honomichl/.aws/credentials"
account = sys.argv[1]
config = configparser.ConfigParser()
  expire_string = config[account]['x_security_token_expires']
except KeyError:
    export AWS_PROFILE=$1

I then create a function to use with my prompt:

s2aprompt() {
  if [[ -v AWS_PROFILE ]]; then
    CYAN="$(tput setaf 6)"
    RESET=$(tput sgr0)
    printf "$CYAN(saml2aws: $AWS_PROFILE expires: $AWS_CREDS_EXPIRE)\n$RESET"

Then I can add it to my prompt:

 PS1='$(s2aprompt)$(git_prompt)(%{$fg[green]%} %m: %{$reset_color%}%{$fg[blue]%}%~%{$reset_color%})
%# '

Which gives me an additional line in my command prompt.

(saml2aws: acg-dev expires: 21:56:51)
( fp-mbp: ~)