Authentication to AWS Services using AWS CLI

You can use PrivX to authenticate and authorize users of the ​AWS Command Line Interface​​ (AWS​ CLI). PrivX automatically issues short-term credentials and configures AWS CLI to allow users to perform their tasks.

To use assume-role credentials for AWS CLI, see Configuring assume-role access to AWS API

If you would rather use Federation Tokens to delegate access through IAM role policies, see Configuring federated token access to AWS API

Prerequisites

  • PrivX grants access to AWS services via the AWS Command Line Interface​​ (CLI account). The person receiving access must have a Unix or Mac account with AWS​ CLI set up.

  • The CLI account must be set up with PrivX agents. For instructions about setting up and using PrivX agents, see PrivX Agent Setup

  • Verify the system time on the host with the CLI account. Short-term credentials issued by PrivX are very time-sensitive. Even a clock skew of few minutes may prevent successful authentication.

Using AWS Services

After you have set up access to AWS services, you can use the services authorized to you as follows:

  1. Log into the CLI account on your workstation, activate the PrivX agent if necessary.

  2. Use the PrivX agent to log into PrivX (replace ​username​​ with your PrivX-user name):

    $ privx-agent-ctl login ​username​​
    
  3. Determine and assume an AWS role available for your account (replace ​example_aws_role​​ with the name of the role you want to assume):

    $ privx-agent-ctl aws-role list
    
    $ privx-agent-ctl aws-role set ​example_aws_role​​
    

    You may verify that you have successfully assumed the role by listing the AWS roles. It should be marked with an asterisk (*). For example:

    $ privx-agent-ctl aws-role list
    Available AWS roles:
      example_aws_role_0
    ​   *example_aws_role​​
      example_ws_role_2
      ...
    

    You are now permitted to run any AWS services permitted by the AWS role. For example, if the AWS role gives you read access to the ​s3​​ service, you can now run:

    $ aws s3 ls s3://bucket.example.com/
    

Did this page help you?