AWS CLI login instructions

Prerequisites
Instructions
Troubleshooting
- Missing or invalid cookie jar
- Missing required key 'SAMLAssertion'

Access to DIT provided AWS accounts via the command line interface (CLI) is outlined below. Just like the AWS web console, obtaining access to a functional role is a 2 step process, where first you must login as your structural (HR) group, and then assume a functional role in an AWS account.

Prerequisites

This process requires that you:

have Duo Mobile configured for auto-push.
have answered all of the CAS consent questions and have a registered cell phone w/the University.
have the AWS CLI tools installed from the Install or update to the latest version of the AWS CLI article.

Top

Instructions

Install nodejs from the nodejs site.
From the command line, run npm install -g umd_aws_cli_helpers.
Authenticate by running the following command, replacing Name_Of_Your_HR_Group with the value used when you login via AWS Sign In page.
umd_aws_auth -g <Name_Of_Your_HR_Group>
Review and approve the Duo prompt from the mobile device registered with the University.
To assume a functional role within one of your AWS accounts, go to https://ittools.umd.edu/myaws/roles (make sure you're connected to VPN) and locate the role and account you wish to assume.
Copy and paste the value from the CLI column into your terminal.

At this point you have temporary AWS credentials stored under an AWS credential profile in the format RoleName@AWS_Account. Any tool (including the AWS CLI) that makes use of standard AWS credentials will be able to use these credentials as long as you specify this profile.

aws ec2 stop-instances \ --region=us-east-1 \ --profile=DeptAdmin@it-eng-sandbox1 \ --instance-ids=i-abcdefg

Top

Troubleshooting

Missing or invalid cookie jar

Error

C:\Users\username>umd_aws_auth -g it-ee-se-si

WARNING - Missing or invalid cookie jar: Error: ENOENT: no such file or directory, open 'C:\Users\username\.aws\cookiejar'

Solution

If you get this error preventing you from logging in, make sure you have a .aws folder in your home directory (create it if it doesn't exist) and make sure it's not set to read-only (right-click > properties). If you try again after that, it will get this error one more time but should allow you to login (and create the cookiejar) anyway.

Missing required key SAMLAssertion

Error

Error calling assumeRoleWithSAML: MissingRequiredParameter: Missing required key 'SAMLAssertion' in params

Solution

Make sure you have Duo auto-push enabled.

Top