CLI tool for SAML-based AWS authentication via your Identity Provider (IdP).
Securely saves your login session, captures the SAML response, parses the assertion, and assumes your AWS role with STS.
- Interactive login via browser
- Saves session state encrypted with uniquenv
- Intercepts SAML response and extracts role information
- Assumes AWS role and writes credentials to
~/.aws/credentials - Optional AWS region override via
--region
npm install -g aws-saml-cliInstalls the CLI globally as the
aws-saml-clicommand.
aws-saml-cli save-session "<saml-login-url>"- Opens a browser to the given SAML login URL
- Login manually and press F8 or the Resume button in the browser
- Encrypted session is saved to
~/.aws-saml-cli/session.uniquenv
aws-saml-cli capture [--region <aws-region>]- Loads the encrypted session
- Navigates to the previously stored login URL
- Intercepts the SAML
POSTrequest - Parses the
SAMLResponse, extracts the role and principal ARNs - Sends
AssumeRoleWithSAMLto STS - Writes credentials to
~/.aws/credentialsunder[default]
- Region can be provided via
--region, otherwise resolved via:AWS_REGIONorAWS_DEFAULT_REGIONenvironment variable~/.aws/configprofile
aws-saml-cli save-session "https://your-idp.example.com/sso/initiate"aws-saml-cli captureaws sts get-caller-identitySession is stored at:
~/.aws-saml-cli/session.uniquenv
Encrypted using your device-specific key with uniquenv. Cannot be decrypted on other machines.