Overview

We are migrating from local AWS IAM user accounts to a centralized identity management system. All users will now access their AWS accounts through a new single sign-on (SSO) workflow.

Getting Started

To access your AWS accounts using the new workflow, visit: http://aws.sciencecloud.nasa.gov/

AWS Console Login Experience by User Type

NASA Users

If you have a NASA identity, your login process will be:

1. Navigate to the access portal link: http://aws.sciencecloud.nasa.gov/
2. You will be prompted to authenticate using your PIV credentials via Launchpad
3. Once authenticated, you'll be redirected to the AWS Access Portal

NASA Collaborators

If you do not have a NASA identity, your login process will be:

1. Navigate to the access portal link: http://aws.sciencecloud.nasa.gov/
2. Enter the email address you were invited to Entra ID with
3. Follow login prompts
4. Complete multi-factor authentication using Microsoft Authenticator
   • If this is your first time logging in, you'll be guided through setting up Microsoft Authenticator on your mobile device
5. Once authenticated, you'll be redirected to the AWS Access Portal

AWS Access Portal

After successful authentication, you'll land on the AWS Access Portal - your central hub for accessing AWS resources.

What you'll see:

• A list of AWS accounts you have permission to access
• Available roles for each account based on your assigned permissions
• A clean, organized interface showing all your AWS resources in one place

How to access your Science Cloud AWS account:

1. Select the AWS account you want to access
2. Choose the appropriate role (if multiple roles are available)
3. Click to launch the AWS Management Console or use programmatic access options

Programmatic Access to AWS

In addition to using the AWS Management Console through the portal, you can also access AWS programmatically using the AWS CLI and SDKs. There are two main approaches:

Option 1: Temporary Access Keys from the Portal

For quick, short-term programmatic access:

1. Log into the AWS Access Portal using the steps above
2. Select your desired AWS account and role
3. In the account/role view, click "Command line or programmatic access"
4. Choose your preferred option:
   • Option 1: Copy and paste the temporary credentials as environment variables
   • Option 2: Add the temporary credentials to your ~/.aws/credentials file
   • Option 3: Use the provided aws configure commands

Note: These credentials are temporary (typically 1-12 hours) and will need to be refreshed periodically.

Option 2: AWS CLI SSO Integration (Recommended)

For seamless, long-term programmatic access, configure the AWS CLI to work directly with IAM Identity Center:

Initial Setup

Important: Remove any existing aws_access_key_id and aws_secret_access_key from your ~/.aws/credentials file before proceeding.

Configure SSO Session

1. Set up the SSO session:

   aws configure sso-session

2. Enter the required details:
   • SSO session name: my-org-sso (choose a memorable name)
   • SSO start URL: http://aws.sciencecloud.nasa.gov/
   • SSO region: us-east-1 
   • SSO registration scopes: sso:account:access

Configure Profiles

You can create profiles for each AWS account/role combination you need to access:

aws configure sso

Provide the following information:

• SSO session name: my-org-sso (same as above)
• SSO account ID: The 12-digit AWS account ID
• SSO role name: The role name you want to assume (e.g., Project-Admin, Project-Power-User, Project-Read-Only)
• CLI default client Region: us-east-1 (or your preferred region)
• CLI default output format: json

Manual Configuration (Alternative)

For multiple accounts/roles, you can manually edit ~/.aws/config:

ini

[sso-session my-org-sso]
sso_region = us-east-1
sso_start_url = $LINK

[profile dev-account]
sso_session = my-org-sso
sso_account_id = 111122223333
sso_role_name = Project-Power-User
region = us-east-1
output = json

[profile prod-account]
sso_session = my-org-sso
sso_account_id = 444455556666
sso_role_name = Project-Read-Only
region = us-east-1
output = json

Using SSO-Configured Profiles

1. Sign in to SSO:

   aws sso login --profile dev-account

   This will open your browser for authentication (same process as portal login).
2. Sign out when finished:

   aws sso logout

Benefits of AWS CLI SSO Integration

• Seamless authentication: Uses the same login process as the web portal
• Automatic token refresh: No need to manually update credentials
• Multiple account support: Easy switching between accounts and roles
• Security: No long-term access keys stored locally