Logging in to an AWS Account Managed by Stax

Stax allows you to log in to AWS accounts using both the Stax Console and the CLI.

Article Tags
On This Page
Before You BeginLogging in to an AWS Account via the Stax ConsoleLogging in to an AWS Account Using the CLIHow Do You Know This Worked?TroubleshootingSee also

Stax manages your AWS accounts and provides federated identity access management (IDAM) to allow you to assume a role in an AWS account using your Stax credentials.

Before You Begin

  • Estimated time to complete: 15 minutes
  • You should have the AWS CLI (version 1 or 2) installed on your computer
  • Your Stax platform permissions do not necessarily reflect your access to the AWS Accounts in Stax. Your access to AWS Accounts is controlled at the Account Type level by Groups

Logging in to an AWS Account via the Stax Console

The process of logging in to an AWS account via the Stax Console is quite straightforward.

  1. Log in to the Stax Console

  2. In the left-hand nav, choose Accounts, then All Accounts

    All Accounts
  3. Find the account you want to log in to in the list. Click the vertical ellipsis (⋮) on the right-hand side of the row

    Account Roles
  4. Choose the role you wish to log in to the AWS account with. This will open the account in a new tab/window for you to interact with

    AWS Account

Logging in to an AWS Account Using the CLI

Stax recommends the use of the open-source tool saml2aws for streamlining AWS account access via Stax and the Stax IDAM. You should install saml2aws on your computer using the instructions provided by saml2aws before continuing.

saml2aws is a community maintained open source tool which supports a range of SAML Identity Providers (IdPs) to enable authentication to AWS accounts. Stax Support is unable to provide support for saml2aws. Issues encounted with the operation of saml2aws should be raised as issues in its GitHub repository.

Retrieve the SAML Endpoint URI

The SAML endpoint URI is the endpoint saml2aws will query to log you in to a particular AWS account.

  1. First, you'll need to determine your IDAM URL. To do this, open the Stax Console login page and proceed to the credential entry page. It should look something like this:

    Login Page

    In the example above, the IDAM URL is https://id.security.somecompany.au1.staxapp.cloud

    To build out the SAML endpoint URI for saml2aws, it's a simple matter of adding a string to the end of the IDAM URL: /auth/realms/master/protocol/saml/clients/amazon-aws. So, in this example, the SAML endpoint URI is as follows:


Make a note of the SAML endpoint URI, you'll need this in the next step.

Configure saml2aws to Work with Stax

  1. Open a terminal/shell on your computer
  2. Run saml2aws configure -a stax (You can replace stax here with any saml2aws profile name you'd like)
  3. When prompted to choose a provider, select KeyCloak
  4. Enter an AWS Profile name. This will be the profile name you'll use when invoking AWS CLI commands. You'll probably find it easiest if this matches the saml2aws profile name you used above in step 2
  5. When prompted for a URL, enter the SAML endpoint URI you retrieved earlier
  6. Provide the Username you use when logging in to the Stax Console

Log in to Your AWS Account Using saml2aws

  1. Open a terminal/shell on your computer
  2. Run saml2aws login -a stax (replace stax with the saml2aws profile name you nominated in the previous section)
  3. When prompted, enter the Username, Password, and optionally MFA token (security token) you use when logging in to Stax
  4. saml2aws will prompt you to choose an account and role combination. You'll see all the accounts and roles you have access to with your current credentials. Choose one from the list using the arrow keys then press enter/return
  5. saml2aws will retrieve you short-term credentials that are valid for one hour. You can access these using the AWS_PROFILE=stax environment variable, replacing stax with the AWS Profile name you nominated in the previous section

How Do You Know This Worked?

  1. Open a terminal/shell on your computer

  2. Run the following command to validate that your credentials are working:

    aws --profile stax --region ap-southeast-2 sts get-caller-identity
  3. The AWS CLI will return a result containing your User ID, Account number, and assumed role ARN


saml2aws Error: "URL empty in idp account"

When attempting to execute saml2aws login, you may receive the following error message:

error building login details: failed to validate account: URL empty in idp account

This error indicates that you have yet to run aws configure. Run this first and then try running saml2aws login again.

See also