I linkedin this and forgot to blog about it last year. My bad.

For my records I’m posting this one now 🙂

In Nov 2019 AWS announced an update with AWS SSO. The upgrade allowed for integration into Azure AD! This is absolutely a big win for the enterprise. 99% of the enterprises I’ve worked with have gone with Azure AD as a result of going Office 365. So they have defaulted to their SaaS identity provider as being Microsoft.

This resulted in much pain in the following areas:

  • Setting up federated access in a multi-account model
  • Using command line tools outside of AWS

This change now lets you use AWS SSO to manage your cross account roles. Albeit MANUALLY 🙁 This is my only gripe with this change! 🙂 The provisioning of access should be done by someone with controlled privileges into AWS SSO. They will need to know how to push permissions and roles out across the organisation. Fortunately this isn’t hard and the provisioning process is mostly automated.

The step by step blog post is here: https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

I’ve gone through this process with my own Azure AD and AWS accounts and I can tell you this is something you should be doing. Much better than all the other historical ways to manage federated access into a multi-account model in AWS.

Further, with the announcement of AWS CLI V2 that can handle doing federated authentication this is a must have default model for the enterprise moving forward. I will be updating my white paper as such with this information.

You can find the cli blog post here: https://aws.amazon.com/blogs/developer/aws-cli-v2-now-supports-aws-single-sign-on/

I’m not looking back on these changes.

Paul.