Skip to main content

How to Log into AWS

We use Leapp to facilitate logging into AWS. Leapp is a tool that allows you to authenticate with your organization's Identity Provider (IdP) and then assume an IAM Role in AWS. This allows you to use your organization's SSO to authenticate with AWS.

Requirements

1 Install Leapp

Install Leapp following Leapp documentation or with brew:

brew install --cask leapp

2 Install AWS Session Manager (If required)

brew install --cask session-manager-plugin

3 Launch Leapp

Leapp Search assets-refarch-leapp-search.png

Setup

The following steps are required only for initial setup.

1 Launch Leapp

2 Create new Integration

Leapp Integration assets-refarch-leapp-integration.png

3 Fill out Single Sign-On configuration

Alias: acme # This can be whatever you would like to label the Integration in Leapp
Portal URL: https://d-1111aa1a11.awsapps.com/start/ # Set this to your SSO Launch URL
AWS Region: us-east-1 # Your primary region
Auth. Method: In-browser # Optional

4 Click Integration “dots” and select “Login”.

This should launch a tab in your web browser.

Leapp Integration Dots assets-refarch-leapp-integration-dots.png Leapp Integration Login assets-refarch-leapp-integration-login.png

5 Log into your IdP

Log into your IdP for your Organization and “Allow” Authorization request

6 Create a “Chained Session” from core-identity

Create a “Chained Session” from the core-identity account with the IdentityDevopsTeamAccess Role

NOTE:

This Permission Set will match the given Team name. For example, Developers will use IdentityDevelopersTeamAccess and DevOps will use IdentityDevopsTeamAccess.

![Leapp Chained Session ssets-refarch leapp-chained-session.png)

7 Fill out the Chained Session configuration

Fill out the Chained Session configuration for connecting to core-identity

Named profile: acme-identity # This must match the profile name given in AWS config
Session Alias: acme-identity # Optional
AWS Region: us-east-1 # This must be your primary region
Role ARN: arn:aws:iam::666666666666:role/acme-core-gbl-identity-devops # This ARN depends on the given team. This example uses the "devops" team
Role Session Name: acme-identity # Optional
Assumer Session: core-identity # This must match the name of the identity account, almost always "core-identity"

![Leapp Chained Session Configuration ssets-refarch leapp-chained-session-configuration.png)

8 (Optional) Pin the new acme-identity IAM Role Chained Session

This makes it easier to filter to the primary session we will be used for connecting to AWS

  • Go to All Sessions
  • Find the new IAM Role Chained Session for acme-identity or whatever value you used for Session Alias
  • Click the dots on the IAM Role Chained Session
  • Select Pin Session

9 Connect to acme-identity IAM Role Chained Session

  • Select the Session
  • Click Start Session ![Leapp Start Session ssets-refarch leapp-start-session.png)

10 Rebuild Geodesic

Open your terminal of choice, navigate to the infrastructure repository, and launch Geodesic

make all

11 Use AWS in Geodesic

You're done! You can now use AWS from with in Geodesic.

![Geodesic Check ssets-refarch geodesic-check.png)

Usage

After initial setup, quickly connect to AWS with the following steps:

  1. Launch Leapp

  2. Connect to acme-identity IAM Role Chained Session ![Leapp Start Session ssets-refarch leapp-start-session.png)

  3. Open your terminal of choice, navigate to the infrastructure repository, and launch Geodesic

    make run

  4. Done!
    ![Geodesic Check ssets-refarch geodesic-check.png)