Skip to content

Using aws-sso on remote hosts with SSH

This is intended to show how to use your aws-sso credentials on a remote/bastion host, without requring you to install or configure aws-sso on that host, while maintaining security. Additionally, when you have to authenticate via your SSO provider, that can easily invoke your local web browser without resorting to printing and clicking on URLs.

Overview

Note: Before going any further, this document assumes you have already installed and configured aws-sso on your local system. If not, do that now. :)

Accessing one or more AWS Identity Center based IAM Roles uses the ECS Server running locally and then using ssh to forward the port to the remote host. Security is provided via a bearer token you configure on each side and all traffic is encrypted over ssh.

Note: The root user or anyone with CAP_NET_RAW or CAP_NET_ADMIN will be able to intercept the HTTP traffic on either endpoint and obtain the bearer token and/or any IAM Credentials stored in the ECS Server if you have not enabled SSL.

On your local system

  1. Follow the directions to enable HTTP Authentication and Encryption.
  2. Start the ECS Server:
    1. In a Docker container: aws-sso ecs docker start
    2. Or you can use a screen or tmux session: aws-sso ecs server
  3. Load your selected IAM credentials into the ECS Server:
    aws-sso ecs load --profile=<profile name>
  4. SSH to the remote system using the -R flag to forward tcp/4144:
    ssh -R 4144:localhost:4144 <remotehost>

On your remote system (once you have logged in as described above)

Note: The following commands assume you are using bash. You may have to tweak for other shells.

  1. Tell the AWS SDK how to talk to the ECS Server over SSH:
    export AWS_CONTAINER_CREDENTIALS_FULL_URI=https://localhost:4144/ (or http if you did not enable SSL)
  2. Tell the AWS SDK the bearer token secret from the first step on your local system:
    export AWS_CONTAINER_AUTHORIZATION_TOKEN='Bearer <secret>'
  3. Verify everything works: aws sts get-caller-identity

See the ECS Server documentation for more information about the ECS server and how to use multiple IAM role credentials simultaneously.

Advanced Usage

The above instructions grant any host you ssh to, access to the same AWS IAM Role. But what if you want to access multiple roles?

For each role you'd like to access you will need to do two things:

  1. On your local host, load that role into an individual slot in the ECS Server:
    aws-sso ecs load --slotted --profile <profile name>
  2. On the remote host, specify the correct URL:
    export AWS_CONTAINER_CREDENTIALS_FULL=https://localhost:4144/slot/<profile name>