I recently had the challenge to connect a AWS management console of a really large AWS multi-account environment to Azure AD using SAML.

The AWS environment had about 350 accounts but accounts are constantly coming and going. So everything must be automated and capable to support more than 500 accounts.

The main drivers for this initiative were:

• Prevent additional user management and credentials inside AWS
• Assure a clean lifecycle by using existing AAD users and groups
• Deploy Azure MFA for AWS admins
• Option to enable other access paths by using AAD Conditional Access
• Option to use Azure AD B2B Guest users with AWS

There will be multiple parts:

• Part 1: Basic setup (You are here!)
• Part 2: Extension for high number of AWS accounts
• Part 3: Automation using Microsoft Graph
• Part 4: Azure MFA and Azure B2B users
• …

You should be familiar with basic Azure AD concepts like approles, SAML and claim mapping.

Now let’s start.

The basics setup is pretty much explained with these two links:

• Documentation regarding SAML on AWS
• Microsoft tutorial to connect AWS single-account environment

Find here only a short summary:

1. Trust between AWS and Azure AD must be established. Basically you need to create and configure Azure AD as IdP in the AWS account
2. Create an Azure AD application for AWS. Important: Use the AWS gallery app!
3. Now we need a custom approle for each AWS role. Unfortunately, this not possible in the GUI. You have to use Graph Explorer. The value of the approles must precisely follow the AWS role pattern:

   arn:aws:iam::account-number:role/role-name,arn:aws:iam::account-number:saml-provider/idpname

   You can also let Azure AD pull the roles from AWS using provision. I liked it better to do it manually. We will come to that later when we automize all that.
4. Now map the created approles to Azure AD groups
5. As a last step the approles must be emitted via SAML using the AWS specific role claim:

https://aws.amazon.com/SAML/Attributes/Role

users.assignedroles

So that is the basic scenario.

Actually this setup also works for (some) multiple AWS accounts. You just need to add more roles pointing to other AWS accounts. That was also Microsoft’s recommended scenario for quite some time.

But there are some hard limitations of that scenario:

1. Number of app roles per AAD application is limited to ca. 1200 – in my scenario, we would have easily hit that number
2. AWS has a limit of 100.000 characters in the SAML token (source). Be aware that Azure AD will emit all approles twice: Once in the configured AWS SAML claim and once again in the Azure AD default SAML claim for approles. So basically you can only use half the token size for roles! We hit that limit at ca. 300 roles for one user. I reported that to MS, but it is not fixed yet …
3. On AWS the user is presented a list of all roles in all accounts – the master admins see a really long inconvenient list here

Regarding my requirements, it was clear that the single Azure AD app scenario would not work – at least not for long.

In Part 2, I will show you how to extend that scenario to multiple Azure AD apps. Stay tuned.