Knowledge Article View - IT Service Desk

AWS CLI login instructions

Access to DIT provided AWS accounts via the command line interface (CLI) is outlined below. Just like the AWS web console, obtaining access to a functional role is a 2 step process, where first you must login as your structural (HR) group, and then assume a functional role in an AWS account.

Prerequisites

This process requires that you:

have Duo Mobile configured for auto-push
have answered all of the CAS consent questions and have a registered cell phone w/the University.
have the AWS CLI tools installed from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Instructions

1. Install nodejs from https://nodejs.org/en/
2. From the command line, run "npm install -g umd_aws_cli_helpers"
3. Authenticate by running the following command, replacing <Name_Of_Your_HR_Group> with the value used when you login via https://login.aws.umd.edu
  umd_aws_auth -g <Name_Of_Your_HR_Group>
4. Review and approve the Duo prompt from the mobile device registered with the University
5. To assume a functional role within one of your AWS accounts, go to https://ittools.umd.edu/myaws/roles and locate the role and account you wish to assume.
6. Copy and paste the value from the "CLI" column into your terminal.

At this point you have temporary AWS credentials stored under an AWS credential profile in the format <RoleName>@<AWS_Account>. Any tool (including the AWS CLI) that makes use of standard AWS credentials will be able to use these credentials as long as you specify this profile.

aws ec2 stop-instances \ --region=us-east-1 \ --profile=DeptAdmin@it-eng-sandbox1 \ --instance-ids=i-abcdefg

Troubleshooting

Missing or invalid cookie jar

Error

C:\Users\username>umd_aws_auth -g it-ee-se-si

WARNING - Missing or invalid cookie jar: Error: ENOENT: no such file or directory, open 'C:\Users\username\.aws\cookiejar'

Solution

If you get this error preventing you from logging in, make sure you have a ".aws" folder in your home directory (create it if it doesn't exist) and make sure it's not set to read-only (right-click > properties). If you try again after that, it will get this error one more time but should allow you to login (and create the cookiejar) anyway.

Missing required key 'SAMLAssertion'

Error

Error calling assumeRoleWithSAML: MissingRequiredParameter: Missing required key 'SAMLAssertion' in params

Solution

Make sure you have Duo auto-push enabled.