By default, you cannot use your HawkID to login to the AWS CLI to manage your AWS account and its resources. A tool developed by the University of Illinois enables this functionality. Please select the appropriate support instructions for the device you're using. If you encounter issues, please reach out to the Cloud Team or schedule Office Hours.
The Federated Login tool for the AWS CLI does not work natively on Windows. However, this workaround will provide you with access to it. This process for initial setup takes 30 - 60 minutes to complete.
Installation
To install the Federated Login tool for the AWS CLI on Windows requires the following:
- Windows 10 version 1709 or higher, or Windows 11
- Administrator permissions on your system
- Enabling Windows Subsystem for Linux
- Installing Ubuntu from the Windows Store (this does not replace Windows with Linux and will not harm your system)
If you already have the Windows Subsystem for Linux installed and were using it with the AWS CLI, please note that this tool uses the "default" user in your AWS credentials file. If you have an existing entry labeled "default", this tool will overwrite it.
For information on how to enable and configure Windows Subsystem for Linux, you can follow the directions here: https://docs.microsoft.com/en-us/windows/wsl/install-win10. After the subsystem has been installed, the installation of Ubuntu can be done via the Windows Store. When the Windows Store opens to the Ubuntu page, first click the "Get" button.
Then, when the download is complete, click the Launch button
And you will see the installation taking place over the next few minutes
Once you have enabled Windows Subsystem for Linux and installed Ubuntu from the Windows Store, you can launch Ubuntu from the Windows Start Menu.
When the Ubuntu shell launches, it is highly recommended that you update your Ubuntu installation with the latest updates and patches. This can be done by running the following command:
sudo apt update && sudo apt upgrade -y
With Ubuntu initialized, you'll be ready to install the packages required on Linux:
sudo apt install python3-pip
sudo pip3 install awscli
sudo pip3 install awscli-login
Configuration
With those packages installed, we can configure the AWS CLI plugin. Run the following:
aws configure set plugins.login awscli_login
Finally, you must configure the plugin:
aws login configure
You will be prompted with a few questions:
ECP Endpoint URL [None]: https://idp.uiowa.edu/idp/profile/SAML2/SOAP/ECP
Username [None]: <type your HawkID here>
Enable Keyring [False]: <leave this blank and hit Enter>
Duo Factor [None]: push
Role ARN [None]: <leave this blank and hit Enter>
With the plugin configured, you need to tell the AWS CLI which region to use.
aws configure
You will be prompted for the following:
AWS Access Key ID [None]: <leave this blank and hit Enter>
AWS Secret Access Key [None]: <leave this blank and hit Enter>
Default region name [None]: us-east-1
Default output format [None]: json
This completes the installation.
Using the CLI
To use the Federated CLI type the following command in the Ubuntu window:
aws login
You will be prompted for your password, which will be your HawkID password. After that, you will get a prompt on your phone from Duo. Once you've acknowledged the Duo message you'll see a list of accounts and roles (if you have more than one). Make a selection and you will be logged in to AWS. From here you can use the AWS CLI like you normally would (aws ec2 list-instances, etc). After that you will need to log in again.
Common questions:
After I log in, how long will my session last?
Your session will be good for about 8 hours.
I'm logged in, but I need to switch to another account. How do I do that?
Type 'aws logout' and then type 'aws login'. Enter your credentials again (if needed) and choose the new role or account you'd like to use.
Why can't I see the account name in the list of options? I have a lot of accounts and I don't have the numbers memorized.
This is, unfortunately, a shortcoming of the tool and how it works. The account "name" isn't available until you're authenticated with AWS and the option to choose which role/account comes before this step. There are discussions around how to overcome this, but for now there is not a good option.
To install the Federated Login tool for the AWS CLI you first must install the AWS CLI v1. This will not work if you install AWS CLI v2. You can do so following the directions here: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html. It is important that you use Python 3.4 or higher. Note that the default Python installation on MacOS is 2.7.
Please note that this tool uses the "default" user in your aws credentials file. If you have an existing entry labeled "default" this tool will overwrite it.
After you have installed the AWS CLI you need to install the Federated Login plugin. To do this enter the following commands:
pip3 install awscli-login --user
aws configure set plugins.login awscli_login
Finally, you must configure the plugin:
aws login configure
You'll be prompted with a few questions:
For ECP Endpoint URL use: https://idp.uiowa.edu/idp/profile/SAML2/SOAP/ECP
For Username enter your HawkID
Leave "Enable Keyring" blank to choose the default (False)
For Duo Factor enter "push" (without the quotes)
Leave "Role ARN" blank to choose the default (False)
To use the Federated CLI type:
aws login
You'll be prompted for your password, which will be your HawkID password. After that, you will get a prompt on your phone from Duo. Once you've acknowledged the Duo message you'll see a list of accounts and roles (if you have more than one). Make a selection and you will be logged in to AWS. From here you can use the AWS CLI like you normally would (aws ec2 list-instances, etc). After that you will need to log in again.
Common questions:
How long will I be logged in for?
Your session will be good for about 8 hours.
I'm logged in, but I need to switch to another account. How do I do that?
Type 'aws logout' and then type 'aws login'. Enter your credentials again (if needed) and choose the new role or account you'd like to use.
Why can't I see the account name in the list of options? I have a lot of accounts and I don't have the numbers memorized.
This is, unfortunately, a shortcoming of the tool and how it works. The account "name" isn't available until you're authenticated with AWS and the option to choose which role/account comes before this step. There are discussions around how to overcome this, but for now there is not a good option.
I'm getting an error that my default region isn't set. How do I fix that?
This is likely happening because you haven't used the AWS CLI before. Run "aws configure", leave "AWS Access Key ID" and "AWS Secret Access Key" with the default values, set "Default region name" to "us-east-1" without the quotes, and the "Default output format" to "json" without the quotes.