Decide on AWS CLI Login
Decide on a CLI tool that enables AWS login and credentials via SAML IDP for CLI and web console access.
Problem
Users need some way to login into AWS when using the CLI or applying Terraform changes. We have AWS Identity Center or AWS SAML setup for an AWS organization, but we need a way to login to AWS locally.
There are a number of tools that can help with this, but we need to decide on one.
Option 1: Use the AWS CLI
First of all, we could use the AWS CLI to login to AWS. This is the most basic way to login to AWS, but it requires a lot of manual steps and is not very user-friendly.
Option 2: Use Leapp
Alternatively we could use Leapp by Noovolari. This is a tool that allows you to login to AWS using SAML and then automatically generates temporary credentials for you to use in the CLI. Once setup, Leapp makes it very easy to login to AWS and use the CLI, assume roles across your accounts with Role Chaining pre-configured, and even launch directly into the AWS web console.
![IMPORTANT] Leapp has been a popular choice for this use case, but with Noovolari announcing the shutdown of their paid service, this could raise concerns about the long-term viability of the project. While the Leapp project will continue to be supported, the discontinuation of the paid option might make it less appealing to future users.
Leapp requires several manual steps during the initial setup, which has been a pain point for some users. See How to Login to AWS (with Leapp) for more on the required setup and usage.
Leapp requires setup steps outside of our Geodesic containers, which makes it less convenient for users who primarily work in the shell and increases the likelihood of configuration errors.
Option 3: Use aws-sso-cli (AWS SSO Only)
The most recent option we've come across is aws-sso-cli. This is a CLI tool that allows you to login to AWS using SAML and then automatically generates temporary credentials for you to use in the CLI. It is similar to Leapp, and is also open source and free to use. It also has a number of features that make it easier to use, such as the ability to login to multiple AWS accounts and roles at the same time.
One potential benefit of aws-sso-cli is that it is a CLI tool, which means it could likely be integrated into our Geodesic containers. This would make it easier for users to login to AWS and use the CLI, and would reduce the risk of user configuration errors.
However, aws-sso-cli is designed specifically for AWS SSO, which means it may not be suitable for users who are using AWS SAML.
Option 4: Use saml2aws (AWS SAML Only)
Another option is to use saml2aws, which is a CLI tool that allows you to login to AWS using SAML. It is similar to Leapp and aws-sso-cli, but is specifically designed for AWS SAML. This means it may not be suitable for users who are using AWS SSO.
Most IdPs supported by aws2saml with the exception of Okta, depend on screen scraping for SAML logins, which is far from ideal. This approach can lead to issues, especially with services like GSuite that use bot protection, which occasionally disrupts users attempting to log in. Additionally, SAML providers differ in how they handle login processes and multi-factor authentication (MFA), meaning you may need to make specific adjustments to ensure smooth integration with your identity provider.
If your organization uses Okta, then aws2saml is good option.
Option 5: Use a browser plugin
Another option is to use a browser plugin, such as aws-extend-switch-roles, that allows you to login to AWS using SAML. This is a simple and user-friendly way to login to AWS, but it requires you to use a browser and is not suitable for users who are working in the CLI.
Option 6: Use a custom solution
Finally we could build our own custom solution for logging into AWS. This would give us complete control over the process, but would require a lot of development effort and ongoing maintenance.
Recommendation
Cloud Posse continues to recommend Leapp for now, but we are evaluating alternatives.