Authentication to AWS Services using AWS CLI
You can use PrivX to authenticate and authorize users of the AWS Command Line Interface (AWS CLI). PrivX automatically issues short-term credentials and configures AWS CLI to allow users to perform their tasks.
To use assume-role credentials for AWS CLI, see Configuring assume-role access to AWS API
If you would rather use Federation Tokens to delegate access through IAM role policies, see Configuring federated token access to AWS API
Prerequisites
PrivX grants access to AWS services via the AWS Command Line Interface (CLI account). The person receiving access must have a Unix or Mac account with AWS CLI set up.
The CLI account must be set up with PrivX agents. For instructions about setting up and using PrivX agents, see PrivX Agent Setup
Verify the system time on the host with the CLI account. Short-term credentials issued by PrivX are very time-sensitive. Even a clock skew of few minutes may prevent successful authentication.
Using AWS Services
After you have set up access to AWS services, you can use the services authorized to you as follows:
Log into the CLI account on your workstation, activate the PrivX agent if necessary.
Use the PrivX agent to log into PrivX (replace username with your PrivX-user name):
$ privx-agent-ctl login username
Determine and assume an AWS role available for your account (replace
example_aws_role
with the name of the role you want to assume):$ privx-agent-ctl aws-role list
$ privx-agent-ctl aws-role set example_aws_role
You may verify that you have successfully assumed the role by listing the AWS roles. It should be marked with an asterisk (*). For example:
$ privx-agent-ctl aws-role list Available AWS roles: example_aws_role_0 *example_aws_role example_ws_role_2 ...
You are now permitted to run any AWS services permitted by the AWS role. For example, if the AWS role gives you read access to the s3 service, you can now run:
$ aws s3 ls s3://bucket.example.com/