IAM
Space shortcuts

Log in to ASTRA
Manage UW Groups
Manage UW NetID Resources
Manage Certificates
Register/Update Shibboleth SP

IAM in Service Catalog

Access Management
Authentication
Directory Services
UW NetID
UW Directory
Microsoft Infrastructure

Page Tree

Child pages
  • Sign in to the AWS Console with UW NetID

Versions Compared

Old Version 24

changes.mady.by.user Ian Walsh

Saved on

compared with

New Version Current

changes.mady.by.user Ian Walsh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Send UW-IT your Amazon Account ID

    1. Account ID is on the "My Account" AWS Console page

    2. Email iam-support@uw.edu your Account ID

    3. UW-IT will create a UW group stem for you to manage your AWS roles

      1. u_weblogin_aws_(accountid)
  2. Add the UW IdP as an Identity Provider
    1. "AWS Console" → "IAM" →  "Identity Providers" → "Create Provider"
      1. Provider Type: "SAML"
      2. Provider Name: "UW"
      3. Metadata Document:
        1. Attach the IdP's metadata as a file
      4. Next Step
        1. "Create"
  3. Create an AWS role for SAML login
    1. "IAM" Service -> "Roles" -> "Create New Role"
    2. Select "SAML 2.0 federation"
      1. SAML provider: select what you created from step #2
      2. Attribute: "SAML:aud"
      3. Value: "https://signin.aws.amazon.com/saml"
    3. Click "Next Permissions"
      1. Choose the AWS Policies that you want to grant to this role
    4. Click "Next Review"
      1. Role Name
        1. Must consists of: lowercase letters, digits, dashes, dots only!
        2. The role name will/must match the corresponding UW group ID (see step 4c below)
      2. Click "Create Role"
  4. Create a UW group that will be granted your AWS role
    1. Sign in to the UW groups service (https://groups.uw.edu)
    2. Create a new group under the group stem created for you (in step 1c)
    3. The last part of the Group ID (after the final "_") must match your AWS Role Name (rolename):
      1. u_weblogin_aws_(accountid)_(rolename)
    4. Add netids the UW NetIDs of people who can sign in and assume the role as members of this new group
      1. Users must be added as members of the group (direct or effective). Adding a user as an admin (or another non-member role) will not permit SSO.
  5. Sign in to the AWS Console
    1. Amazon uses IdP-initiated SSO. This is also known as "unsolicited" SSO since the it isn't initiated by the service provider.
    2. A static link is used to initiate sign-in from the UW IdP.
      1. Either click this link: Sign in to the AWS Console with UW NetID
      2. Or copy and use this location: https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices 
    3. Clicking the link above initiates sign-in from the UW IdP to Amazon.
    4. The maximum session duration defaults to one hour.  You can edit the AWS role itself to have a longer session duration.
    5. After the AWS session duration ends, the session with the AWS Console will expire.
    6. Use the IdP-initiated SSO link again to establish a new session.
  6.  Note: 2FA is enabled for all users by default.
    1. To learn more about 2FA options and eligibility, refer to two-factor authentication in IT Connect.

...