Versions Compared

Old Version 13

changes.mady.by.user Garrison Vaughan

Saved on

compared with

New Version Current

changes.mady.by.user Audrey McQuagge

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview

We are migrating from local AWS IAM user accounts to a centralized identity management system. All users will now access The Science Cloud uses a centralized Identity and Access Management system. This system provides users a single Science Cloud identity to access all of their AWS accounts through a new single sign-on (SSO) workflow.

Getting Started

...


...

AWS

...

Console Login Experience

...

NASA Users

If you have a NASA identity, once you are notified that your Science Cloud identity is ready, your AWS Console login process will be:

  1. Navigate to the access portal link: http://aws.sciencecloud.nasa.gov/
  2. Login Log in using your @nasa.gov email address
  3. You will be prompted to authenticate using your PIV credentials via Launchpad
  4. Once authenticated, you'll be redirected to the AWS Access Portal

NASA Collaborators

If you do not have a NASA identity, once you are notified that your Science Cloud identity is ready, your AWS Console login process will be:

  1. Navigate to the access portal link: http://aws.sciencecloud.nasa.gov/
  2. Enter the email address you were invited to Entra ID the Science Cloud with (this email address will be specified in an email sent to you from the Science Cloud ticketing system when when you are notified that your Science Cloud identity is ready)
  3. Follow login prompts
  4. Complete multi-factor authentication using (MFA) preferably using Microsoft Authenticator
    • If this is your first time logging in, you'll be guided through setting up MFA. The Science Cloud team supports Microsoft Authenticator
      • on your mobile device
    • for MFA.
  5. Once authenticated, you'll be redirected to the AWS Access Portal

...

After successful authentication, you'll land on the AWS Access Portal - your central hub for accessing AWS resources.

What you'll see:

  • A list of AWS accounts you have permission to access
  • Available roles for each account based on your assigned permissions

How to access your Science Cloud AWS account:

  1. Select the AWS account you want to access
  2. Choose the appropriate role 
  3. Click to launch the AWS Management Console or use programmatic access options


...

Session Duration for Standard Science Cloud Roles

RoleSession Duration
Project-Admin2 Hours
Project-Power-User8 Hours
Project-Read-Only12 Hours


...

Programmatic Access to AWS

In addition to using the AWS Management Console through the portal, you can also access AWS programmatically using the AWS CLI and SDKs. There are two main approaches:

Option 1

...

:

...

AWS

...

  • Option 1: Copy and paste the temporary credentials as environment variables
  • Option 2: Add the temporary credentials to your ~/.aws/credentials file
  • Option 3: Use the provided aws configure commands

Note: These credentials are temporary and will need to be refreshed periodically.

...

CLI SSO Integration (Recommended)

For seamless, long-term programmatic access, configure the AWS CLI to work directly with IAM Identity Center:

Initial Setup

Important: Remove Before proceeding, remove any existing aws_access_key_id and aws_secret_access_key related to your AWS account from your ~/.aws/credentialscredentials file before proceeding.

Configure SSO Session

  1. Set up the SSO session:
    aws configure sso-session
  2. Enter the required details:
    • SSO session name:
      • my
    • your-
      • org
    • memorable-sso-name (choose a memorable name)
    • SSO start URL: https://d-9067c5bbc5.awsapps.com/start/#
    • SSO region: us-east-1 
    • SSO registration scopes: sso:account:access

Configure Profiles

You can create profiles for each AWS account/role combination you need to access:

aws configure sso
Provide the following information:
  • SSO session name: myyour-orgmemorable-sso-name (same as above)
  • SSO account ID: The 12-digit AWS account ID
  • SSO role name: The role name you want to assume (e.g., Project-Admin, Project-Power-User, Project-Read-Only)
  • CLI default client Region: us-east-1 (or your preferred region)
  • CLI default output format: json

  • Profile name [default_provided]: (choose a memorable name)

Manual Configuration (Alternative)

For multiple accounts/roles, you You can manually edit ~/.aws/config:

[sso-session myyour-orgmemorable-sso-name]
sso_region = us-east-1
sso_start_url = https://d-9067c5bbc5.awsapps.com/start/#

[profile dev-accountyour-memorable-profile-name-1]
sso_session = myyour-orgmemorable-sso-name
sso_account_id = 111122223333your-AWS-account's-numeric-accoun-ID
sso_role_name = your-role(e.g. Project-Power-User)
region = us-east-1
output = json

[profile prod-accountyour-memorable-profile-name-1]
sso_session = myyour-orgmemorable-sso-name
sso_account_id = 444455556666your-other-AWS-account's-numeric-account-ID
sso_role_name = your-role(e.g. Project-Read-Only)
region = us-east-1
output = json

Using SSO-Configured Profiles

...

1. Sign in to SSO:

     aws sso login --profile

...

your-profile-

...

name

          This will open your browser for authentication (same process as portal login).

2. Run AWS CLI commands:

     aws sts get-caller-identity --profile your-profile-name

           If you do no do not want to specify --profile your-profile-name  for every command:

           export AWS_PROFILE=your-profile-name

3. Sign out when finished:

     aws sso logout

Benefits of AWS CLI SSO Integration

...


Option 2: Temporary Access Keys from the Portal

For quick, short-term programmatic access:

  1. Log into the AWS Access Portal using the steps above
  2. Select your desired AWS account 
  3. Select 'Access keys' next to the role you want to use to access the AWS account
  4. Follow the instructions provided for the access key approach you want to use

...