I recently wrote a post about my switch from aws-okta to saml2aws. On the Okta side, everything has worked as expected. Unfortunately, i wasn’t as lucky with my AzureAD configuration. The problem has to do with how I configure my AWS accounts. For my work accounts, Okta has been configured for each account but for my personal accounts I only configure one “user” account and then from there I switch roles. I prefer this type of configuration for two reasons. The first is that it’s easier, only having to configure one account for SAML rather than (in the case of my personal setup) four different accounts. The other reason that I prefer it is that it allows me to switch accounts much easier, since I can assume the roles from my user account, rather than having to go back to my SAML provider to choose a different one.

The problem that I ran into was that just setting the AWS PROFILE to one of my non-user accounts wasn’t letting my run Terraform properly. It would work just fine for regular AWS commands, but for some reason Terraform did not honor the profile unless I added it directly to the backend-config and the provider. Initially, I worked around this by generating and setting credenitals with saml2aws’s exec command, like this:

saml2aws -a acg exec --exec-profile acg-dev /bin/zsh

This worked ok, but I was having some issues getting the session TTL to be longer than 15 minutes, and it totally broke down when I wanted to be able to write some Terraform that touched multiple accounts. I started digging, and I figured out that Terraform only loads the credentials file, and that it needed to be told to specifically load the config file. To do that, I just needed to add the following to my .zshrc:


That’s it. Now whenever I am working with a profile it loads it from config and I’m able to connect to multiple accounts just using the profile.