Logging in to an AWS Account Managed by Stax
Stax allows you to log in to AWS Accounts using both the Stax Console and the CLI.
Stax manages your AWS Accounts and provides federated identity access management (IDAM) to allow you to assume a role in an AWS Account using your Stax credentials.
Before You Begin
- Estimated time to complete: 15 minutes
- You should have the AWS CLI (version 1 or 2) installed on your computer
- Your Stax platform permissions do not necessarily reflect your access to the AWS Accounts in Stax. Your access to AWS Accounts is controlled at the Account Type level by Groups
Logging in to an AWS Account via the Stax Console
The process of logging in to an AWS Account via the Stax Console is quite straightforward.
Log in to the Stax Console
In the left-hand nav, choose Accounts, then All Accounts
Find the account you want to log in to in the list. Click the three vertical dots on the right-hand side of the row
Choose the role you wish to log in to the AWS Account with. This will open the account in a new tab/window for you to interact with
Logging in to an AWS Account Using the CLI
Stax recommends the use of the open-source tool saml2aws for streamlining AWS Account access via Stax and the Stax IDAM. You should install saml2aws on your computer using the instructions provided by saml2aws before continuing.
saml2aws is a community maintained open source tool which supports a range of SAML Identity Providers (IdPs) to enable authentication to AWS accounts. Stax Support is unable to provide support for saml2aws. Issues encounted with the operation of saml2aws should be raised as issues in its GitHub repository.
Retrieve the SAML Endpoint URI
The SAML endpoint URI is the endpoint saml2aws will query to log you in to a particular AWS account.
First, you'll need to determine your IDAM URL. To do this, open the Stax Console login page and proceed to the credential entry page. It should look something like this:
In the example above, the IDAM URL is
To build out the SAML endpoint URI for saml2aws, it's a simple matter of adding a string to the end of the IDAM URL:
/auth/realms/master/protocol/saml/clients/amazon-aws. So, in this example, the SAML endpoint URI is as follows:
Make a note of the SAML endpoint URI, you'll need this in the next step.
Configure saml2aws to work with Stax
- Open a terminal/shell on your computer
saml2aws configure -a stax(You can replace
staxhere with any saml2aws profile name you'd like)
- When prompted to choose a provider, select KeyCloak
- Enter an AWS Profile name. This will be the profile name you'll use when invoking AWS CLI commands. You'll probably find it easiest if this matches the saml2aws profile name you used above in step 2
- When prompted for a URL, enter the SAML endpoint URI you retrieved earlier
- Provide the Username you use when logging in to the Stax Console
Log in to your AWS account using saml2aws
- Open a terminal/shell on your computer
saml2aws login -a stax(replace
staxwith the saml2aws profile name you nominated in the previous section)
- When prompted, enter the Username, Password, and optionally MFA token (security token) you use when logging in to Stax
- saml2aws will prompt you to choose an account and role combination. You'll see all the accounts and roles you have access to with your current credentials. Choose one from the list using the arrow keys then press enter/return
- saml2aws will retrieve you short-term credentials that are valid for one
hour. You can access these using the
AWS_PROFILE=staxenvironment variable, replacing
staxwith the AWS Profile name you nominated in the previous section
How do you know this worked?
Open a terminal/shell on your computer
Run the following command to validate that your credentials are working:
aws --profile stax --region ap-southeast-2 sts get-caller-identity
The AWS CLI will return a result containing your User ID, Account number, and assumed role ARN
saml2aws Error: "URL empty in idp account"
When attempting to execute
saml2aws login, you may receive the following
error building login details: failed to validate account: URL empty in idp account
This error indicates that you have yet to run
aws configure. Run this first
and then try running
saml2aws login again.