How to get AWS credentials and access keys using the Auth0 SAML identity provider

21 Jan, 2019
Xebia Background Header Wave

Auth0 can be configured as the identity provider for AWS, allowing your Auth0 users
to directly log in to the AWS Console. Unfortunately, the functionality to obtain temporary access keys for calling AWS APIs and resources has been deprecated
since June 8, 2017
. In this blog I will present you a command line utility, that allows you get aws credentials using Auth0.

For this utility to work, I assume you have already integrated Auth0 with AWS as described in the article ‘Configure SSO with the AWS Console’. If you have not done so, you can bootstrap yourself using the sample terraform configuration in this project.

Add the application to Auth0

For the utility to work, add the auth0-login application as a Single Page Application to Auth0, and enable the SAML2 Web App addon. On the Settings tab, set the Application Callback URL to http://localhost:12200/saml and paste the following SAML configuration code into the settings page:

  "recipient": "",
  "audience": "",
  "mappings": {
    "email": "",
    "name": ""
  "createUpnClaim": false,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
  "nameIdentifierProbes": [

This is identical to the AWS console configuration, with the exception of the type of application and the additional recipient field. This is to ensure that the
SAML assertion has AWS as the recipient and not the callback <a href="http://localhost:12200/saml">http://localhost:12200/saml</a>.

configure auth0-login

Create a file ~/.saml-login with the following content:

idp_url = https://<auth0-tenant>
client_id = <your-newly-added-client-id>

configure AWS account aliases

Create a file ~/.aws-accounts with the following content:

<aws-account-alias> = <aws-account-number>

This allows you to specify the AWS account by alias, which greatly improves readibility.

Install auth0-login

To install the utility, type:

$ pip install auth0-login

show all available AWS Roles

With the SAML provider, you can be granted multiple IAM roles in AWS. To show all available AWS roles to you, type:

$ saml-login aws-assume-role --show
idp_url =
client_id = fJxw5Ir5E0eJDqdWkh+7VGI577uObvsFlAM0KZL5fI
aws_account = aws-alias
aws_role = OAuthAdministrator
aws_profile = OAuthAdministrator@aws-alias

idp_url =
client_id = fJxw5Ir5E0eJDqdWkh+7VGI577uObvsFlAM0KZL5fI
aws_account = aws-alias
aws_role = OAuthIdentity
aws_profile = OAuthIdentity@aws-alias

This will start the browser for authentication, and output all available roles in the form of the individual sections of the .saml-loginconfiguration
file. Add the desired roles to your ~/.saml-login.

obtaining AWS access keys

Now you can obtain the AWS access keys, by typing:

$ saml-login -c OAuthAdministrator@aws-alias aws-assume-role
INFO:Found credentials in shared credentials file: ~/.aws/credentials
INFO:credentials saved under AWS profile OAuthAdministrator@aws-alias

Again, you will be prompted by the browser for authentication: the access keys are stored in ~/.aws/credentials.


With the command line utility, you can have SSO and get AWS credentials using Auth0 for use in programs and the AWS cli!

You may also like How to limit access to AWS Resources based on SAML Attributes using CloudFormation and How to configure a SAML identity provider to enable SSO in AWS CloudFormation.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts