Command line access to Northwestern-owned Amazon Web Services accounts should only be done via a federated, NetID-based and MFA-protected IAM role. IAM user credentials should not be used for console access. This document outlines the process of authenticating the AWS Command Line Interface (CLI) to use a NetID-based federated login role.
Using AWS IAM Identity Center
Northwestern Amazon Web Services accounts are configured to use AWS IAM Identity Center for federated authentication. This allows you to log in to your AWS web console or authenticate via the AWS CLI using your NetID credentials.
Using the AWS Access Portal for Web Console Access
Most Northwestern AWS accounts are accessible via the following AWS access portal URL: https://nu-sso.awsapps.com/start.
A small number of Northwestern AWS accounts used by NIH-funded researchers use a separate AWS access portal: https://nu-strides-sso.awsapps.com/start.
After authenticating your NetID and Duo MFA, you will be presented with a list of the accounts you have access to. Clicking on an account will show you the available roles within each account. Click a role to log into the web console with that role’s permissions.
Feel free to reference the official AWS documentation regarding the AWS access portal: https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html.
Configuring the AWS CLI for NetID Authentication
The AWS CLI has native support for AWS IAM Identity Center via the aws sso subcommand. Follow the steps below to configure the AWS CLI to use NetID authentication:
- Verify AWS CLI Version:
Make sure you are using a recent version of AWS CLI v2. (2.9.0 or later). See here for installation/upgrade instructions.
- Running SSO Configuration Command:
In your terminal, run the command aws configure sso and enter the following values:
- SSO session name:
nu-sso
- SSO start URL:
https://nu-sso.awsapps.com/start
- For NIH STRIDES accounts: https://nu-strides-sso.awsapps.com/start
- SSO region:
us-east-2
- SSO registration scopes: Accept the default value of
sso:account:access
- Logging In with Credentials:
When the browser window appears, log in with your NetID and pass the Duo MFA challenge. When prompted, click the “Allow” button.
Note: If the web browser does not appear or you are on a machine without a GUI, you can either copy the generated URL into a browser manually or re-run the configure command using aws configure sso --no-browser.
- Populating Profile Fields:
After authenticating in the browser, you will be prompted to choose a role for the current session as well as values for the default region (likely us-east-2), output format (text), and CLI profile name. It is recommended to choose a meaningful profile name that you will remember.
(Optional) If you have access to multiple accounts and/or roles, you can edit the ~/.aws/config file by copying the profile that was just created to a new one for each account/role, using the same sso session name for each. In this way, you can specify which profile/role to use for each invocation of the AWS command without having to re-authenticate each time, as the existing SSO session will be used.
In future sessions, if you are not prompted to log in automatically when running an AWS CLI command, you can manually log in with the command aws sso login --sso-session nu-sso. The default session length is 4 hours.
For more details about configuring the AWS CLI for AWS IAM Identity Center, see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html.
Managing Access to AWS IAM Identity Center Roles
Roles in AWS IAM Identity Center are mapped to Azure Entra ID groups within the Northwestern Azure Entra ID tenant, and membership in a role’s corresponding Azure Entra ID group grants access to the role. In general, groups are owned and managed by the AWS account owner responsible for managing access to the group/role.
The Self Service Group Management (Cayosoft) tool is used to manage group access. The group owner can access the “My Office 365 Groups” link under the Self-Service menu item. In that interface all the groups that a user is the owner of are listed. Click on a group name then click the “Membership” link in the right navigation to list, add, or remove group members.
For more information, feel free to reference the following KB article: https://services.northwestern.edu/TDClient/30/Portal/KB/ArticleDet?ID=1750.
If you do not see groups, are unable to manage this tool, or require access to a role but there is no group owner available to grant access, please email awscloudops@northwestern.edu to request access.
Your feedback on this article is welcome, and we review comments regularly. However, if you have an issue or question requiring immediate attention or want to discuss your feedback on this article, please get in touch with the Northwestern IT Service Desk at 847-49
1-4357 (1-HELP) or
consultant@northwestern.edu.