How to Log into AWS
We use Leapp to facilitate logging into AWS. Leapp is a tool that allows you to authenticate with your organization's Identity Provider (IdP) and then assume an IAM Role in AWS. This allows you to use your organization's SSO to authenticate with AWS.
Requirements
2 Install AWS Session Manager (If required)
brew install --cask session-manager-plugin
Setup
The following steps are required only for initial setup.
1 Launch Leapp
2 Create new Integration
Leapp Integration assets-refarch-leapp-integration.png
3 Fill out Single Sign-On configuration�
Alias: acme # This can be whatever you would like to label the Integration in Leapp
Portal URL: https://d-1111aa1a11.awsapps.com/start/ # Set this to your SSO Launch URL
AWS Region: us-east-1 # Your primary region
Auth. Method: In-browser # Optional
4 Click Integration “dots” and select “Login”.
This should launch a tab in your web browser.
Leapp Integration Dots assets-refarch-leapp-integration-dots.png Leapp Integration Login assets-refarch-leapp-integration-login.png
5 Log into your IdP
Log into your IdP for your Organization and “Allow” Authorization request
6 Create a “Chained Session” from core-identity
Create a “Chained Session” from the core-identity account with the IdentityDevopsTeamAccess Role
This Permission Set will match the given Team name. For example, Developers will use IdentityDevelopersTeamAccess and
DevOps will use IdentityDevopsTeamAccess.
![Leapp Chained Session ssets-refarch leapp-chained-session.png)
7 Fill out the Chained Session configuration
Fill out the Chained Session configuration for connecting to core-identity
Named profile: acme-identity # This must match the profile name given in AWS config
Session Alias: acme-identity # Optional
AWS Region: us-east-1 # This must be your primary region
Role ARN: arn:aws:iam::666666666666:role/acme-core-gbl-identity-devops # This ARN depends on the given team. This example uses the "devops" team
Role Session Name: acme-identity # Optional
Assumer Session: core-identity # This must match the name of the identity account, almost always "core-identity"
![Leapp Chained Session Configuration ssets-refarch leapp-chained-session-configuration.png)
8 (Optional) Pin the new acme-identity IAM Role Chained Session
This makes it easier to filter to the primary session we will be used for connecting to AWS
- Go to All Sessions
- Find the new IAM Role Chained Session for
acme-identityor whatever value you used forSession Alias - Click the dots on the IAM Role Chained Session
- Select Pin Session
9 Connect to acme-identity IAM Role Chained Session
- Select the Session
- Click Start Session ![Leapp Start Session ssets-refarch leapp-start-session.png)
10 Rebuild Geodesic
Open your terminal of choice, navigate to the infrastructure repository, and launch Geodesic
make all
11 Use AWS in Geodesic
You're done! You can now use AWS from with in Geodesic.
![Geodesic Check ssets-refarch geodesic-check.png)
Usage
After initial setup, quickly connect to AWS with the following steps:
-
Launch Leapp
-
Connect to
acme-identityIAM Role Chained Session ![Leapp Start Session ssets-refarch leapp-start-session.png) -
Open your terminal of choice, navigate to the
infrastructurerepository, and launch Geodesicmake run -
Done!
![Geodesic Check ssets-refarch geodesic-check.png)