Programmatically get temporary AWS credentials using Azure AD integrated with AWS SSO

Question

Programmatically get temporary AWS credentials using Azure AD integrated with AWS SSO

VijayJ 5

I have Integrated a AWS Identity Center Enterprise application with Azure AD. Using Azure Single Sign-On I am able to access the AWS Account. How do I programmatically (using python or powershell or something else) achieve this. When I provide a Azure AD user credentials (in a script or code) I should get AWS temporary credentials (AccessKey, SecretKey, Token) which I can use to access the AWS account.

1 answer

Your answer

Answer 1

Sina Salam 22,031 Volunteer Moderator

@VijayJ

Welcome to Microsoft Q&A, thank you for posting your question here!

Interesting to know you would like to programmatically get temporary AWS credentials using Azure AD integrated with AWS SSO, which I can use to access the AWS account.

To programmatically get temporary AWS credentials from Azure AD integrated with AWS SSO using PowerShell, you can use the AWS PowerShell module.

You can use the following command to get temporary credentials:

$sts = Get-STSCallerIdentity
$roleArn = "arn:aws:iam::123456789012:role/RoleName"
$sessionName = "SessionName"
$sessionDuration = 3600
$roleSessionName = "RoleSessionName"
$credentials = $sts.Credentials.GetFederationToken($roleArn,$sessionName,$sessionDuration,$null,$null,$null,$null,$roleSessionName)

The above can be modified to suite your need. This will return temporary credentials that you can use to access AWS resources. You can then use these credentials to make API calls to AWS services.

For more information, you can read from the link below:

ID Credential Temp Request

ID Credential Temp Resources

Kindly let us know if the above helps or you need more assistance.

Best Regards,

Sina

VijayJ 5 Reputation points

2023-05-19T09:52:56.58+00:00

How do I use Get-STSCallerIdentity with a Azure AD user?
Sina Salam 22,031 Reputation points Volunteer Moderator

2023-05-19T15:33:00.6666667+00:00
@VijayJ

Thank you for more question:

You can use the Get-STSCallerIdentity cmdlet to retrieve the identity of the caller authenticated by Azure Active Directory (AD) when using Azure Resource Manager (ARM) authentication.

To use this cmdlet with an Azure AD user, you need to authenticate with Azure AD first. You can do this by using the Connect-AzAccount cmdlet.

Here’s an example of how you can use Get-STSCallerIdentity with an Azure AD user:

Connect-AzAccount Get-STSCallerIdentity

This will return the identity of the caller authenticated by Azure AD.

You can use the AWS Security Token Service (AWS STS) operations in the AWS API to request temporary security credentials. These include operations to create and provide trusted users with temporary security credentials that can control access to your AWS resources1.

Here is an example of how to programmatically get temporary AWS credentials using Azure AD integrated with AWS SSO using Get-STSCallerIdentity

$sts = New-Object Amazon.SecurityToken.AmazonSecurityTokenServiceClient $sts.Credentials = New-Object Amazon.Runtime.BasicAWSCredentials($accessKey,$secretKey) $sts.RegionEndpoint = [Amazon.RegionEndpoint]::USWest2 $callerIdentity = $sts.GetCallerIdentityAsync().Result

For more syntax on how to use:

Get-STSCallerIdentity

https://docs.aws.amazon.com/powershell/latest/reference/items/Get-STSCallerIdentity.html

I hope this is helpful!

Success,

Sina
Michael Marven 0 Reputation points

2025-04-10T14:20:05.3633333+00:00

Connect-AzAccount requires manually interacting with the cmdlet. How would I do this programmatically from a script within an ADO pipeline? Basically I have what I believe are the login and password for my service account which is my "programmatic user", I'm trying to set those using

Set-AWSCredential -AccessKey "userid" -SecretKey "password" -StoreAs "userid"

But then when I call Get-STSCallerIdentity I get the following error:
"Get-STSCallerIdentity : No credentials specified or obtained from persisted/shell defaults."

Share via

Programmatically get temporary AWS credentials using Azure AD integrated with AWS SSO

1 answer

Your answer