In my company everything goes through Active Directory and we use saml2aws [1] to generate credentials with two factor involved. It works quite well for us. We even use this for our artists to create local builds of our games since we keep all important secrets and such in aws secrets mananger. We scope access to said secrets with custom roles and tags.
Why use this over aws-vault
As others have mentioned, there is saml2aws. I make use of this, with aws profiles and with saml2aws configured as a 'credentials provider' in aws. If I have already entered my username, password and MFA code once in a session, all my other profiles become active. I can use `aws --profile eks-dev` for instance to connect to that configured account/role.
This extends well to my kubeconfig which make use of these specified profiles to login. So I just run saml2aws, and my kubectl contexts also automatically get configured
Nice work, but I think it's a bit late. There are few competitors that does the same thing. I prefer Leapp (https://github.com/Noovolari/leapp) which expand a bit on aws-vault and saml2aws.
This looks cool, i will give it a try.
The code is very nicely done. I don't use AWS currently but I stared it on GitHub.
I always wonder why people are investing so much energy and time to invent New tools instead oft using existing tools that already solve the same issues. Just use ansible for that.
I'm not sure I see the benefit of this over using the built-in functionality of AWS SSO[1] which is built into AWS and integrates with Control Tower.
If you want to use it's internal iDP - you can. If you want to authenticate against GSuite or another SAML provider, you can do that, too.
[1] https://aws.amazon.com/single-sign-on/