Skip to content Skip to navigation

AWS + SSO: Overcoming Challenges

Proposed by: 
Luba Gloukhova
Number of Attendees: 
We wrote code to help you use the AWS CLI using your Stanford SSO! It's really useful to be able to this if you're using the CLI. Even if you're not using the CLI, you can use SSO by following the steps in the notes.


Who are we?


Many attendees are moving to a cloud provider, or already have committed to AWS.

Some attendees support clients who use AWS (e.g., law school or library)

Many attendees want to use SSO off campus.

Others use Google Cloud Platform (GCP) and are curious about relationships to AWS


How do you set up basic SSO on AWS?

  • [Stanford] Set up workgroups with people in it

  • [AWS] Make a role with limited abilities

  • Contact research computing with the Account, Roles (ARN) and Workgroups

  • AWS also needs to be set up with an IDP (Identity Provider)

    • There’s a set of instructions that Research Computing (and others) has

    • Research Computing sets up the SAML identity provider on AWS

    • Details?

  • You put a lot of trust in workgroups and IDP

  • Go to:


Our Team

Luba’s team supports faculty research at the GSB

  • Large data sets

  • Extensive compute resources


We give researchers access to AWS using SSO

  • Moving away from creating new logins

  • Challenges using AWS “Command Line Interface” (CLI)

  • Tracking who is doing what is tricky

  • In addition, we’ve set up AWS web sites (not just the web services themselves)  to use SSO


CLI with roles

  • A terminal interface, frequently to move data sets to the cloud

  • AWS has roles that can be associated with workgroups

  • AWS will let you use CLI using keys, but we want keys to get generated automatically

  • Keys can be created for a SSO user that will expire after an hour

    • Thanks, random AWS blog!

    • We have a Python script that does this

  • GSB Digital Solutions also built a tool that uses SSO to create EC2 instances and SSH into them



  • Sometimes things may take more than an hour!  How do we address that?

  • We’ve used it internally to some extent, but haven’t entirely deployed this


How does it look?

  • Run, to use your SUNet credentials to pick a role (based on workgroups)

  • Keys get generated in the credentials file

  • We can then use AWS CLI with the profile name “SAML” to use the CLI normally

  • UIT has to map a role to a workgroup first!

  • The single sign-on is different from the key process


Question: What do we get back from the IDP?

  • The IDP tells us which roles we can access


We manage the workgroups and the roles.


We can share this code with you!


Auto-Tagging EC2

  • Our researchers might use expensive resources

  • How do we know who spun up what?

    • For administrative management purposes, mainly

  • Tags can be specified from the CLI

  • Researchers might not tag things

  • GorillaStack has a solution

    • Lambda listens to CloudTrail logs to tag resources

    • Very inexpensive

    • Don’t forget to specify this new tag on the cost allocation tag


Can we tag other things too?

  • Not everything can be tagged

  • But if we use SSO, we can at least use



  • Maybe easier to compartmentalize and manage

  • You can pre-allocate resources to users


Transient users are important!


Last questions:

  • AWS Service Catalog

    • Use this to set up the limitations


We know how to set up SSO on websites too!  Ask us if you need help!


File Attachments: