[V2] SSO not working

[slikk66]

Hello, i'm attempting to follow the guide here https://aws.amazon.com/blogs/developer/aws-cli-v2-now-supports-aws-single-sign-on/ to try and use this feature for logging into AWS using our G-Suite credentials and aws v2 CLI. We've already set up our users to be able to login via G-Suite to AWS via console login.

Any time I try to run it (on Mac and on Ubuntu) this happens (this output below is from Mac OS:

$ aws2 configure sso
SSO start URL [None]: https://accounts.google.com/o/saml2/initsso?idpid=XXXXXXXXXX                            
SSO Region [None]: us-east-1                           

An error occurred (InvalidRequestException) when calling the StartDeviceAuthorization operation: 

$ aws2 --version
aws-cli/2.0.0dev1 Python/3.7.4 Darwin/19.0.0 botocore/2.0.0dev1

[deejvince]

Hi, You should specify the AWS SSO start url rather than the IdP's URL,
This looks something like:
https://d-12345678ab.awsapps.com/start

Also make sure you specify the region where you enabled AWS SSO.

You can chain your SAML IdP to AWS SSO and this will allow you to use CLIv2 with that.

[slikk66]

Are there any docs for setting up gsuite access by chance? I've already setup gsuite access using AWS docs for console, but not sure how the 2 relate. I dont recall having a URL similar to the one you've shown. Either way, thanks for the info, it is helpful!

[slikk66]

Question - ok so we have gsuite SAML setup against the IDP in a single account following this guide: https://medium.com/faun/single-sign-on-with-g-suite-on-the-amazon-web-services-console-18b88c838cae

We intend to add on to this and link a few more accounts. Naturally, we'd like to extend the SSO capability to the CLI, which brought me here. It seems that the only way to configure the CLI using v2 is to go through AWS SSO which requires configuring this at the Organization head level. That's not really an option for us currently - or at least we'd like to avoid it since we already have a working configuration. Is there any way to get the v2 CLI to play nice with the type of SAML connect as described in this article?

[sethbacon]

You might try the AWS side of this blog that covers Azure IDP. I imagine the AWS part is similar...
https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

[slikk66]

Thanks! Yea that article goes through the same thing about needing to run it from the organization down. Our top account is shared by our parent company and managed by an MSP. So, going that route is not ideal for us. I found this which allows us to connect via gsuite directly against the child account, and it works, but it's a bit high friction to use - trying to see if it can be simplified: https://github.com/cevoaustralia/aws-google-auth

[jamesls]

Just following up here, is there anything from the CLI side we can add? From what I can tell those changes would require updates to the SSO service and not specifically in the CLI.

[deejvince]

I think this can be closed. further guides for other IdPs should be provided in the future by AWS SSO service team / IdPs integrating with AWS SSO.

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

[jeff-bowman]

For future reference, and as mentioned in #4784, there's an AWS blog guide for this now: https://aws.amazon.com/blogs/security/how-to-use-g-suite-as-external-identity-provider-aws-sso/

[4speculators]

There is a video on CLI and API SSO https://youtu.be/y6jTIuz-oMc