Must move this page to make it public, once it is complete.

Use Case

This document shows how to setup and use the awscli-login tool to retrieve temporary AWS access keys using your Cornell netid credentials and Duo (i.e., Cornell Two-Step Login). Using temporary access keys associated with an AWS role to authenticate to the AWS Command Line Interface (CLI) is much more safer than using fixed AWS access keys tied to an IAM user. Now that this option is available to Cornell AWS users, we recommend that fixed access keys no longer be used for humans using the AWS CLI.

Prerequisites

If you don't have the AWS CLI installed yet, that's great. Start by checking that you have Python 3.5+, then worry about the AWS CLI.
If you already have the AWS CLI installed, you'll need to make sure that it is using Python 3.5+. If it isn't, then the awscli-login plugin won't work properly and installing it may break AWS CLI installs that are NOT using Python 3.5+.

$ python --version
Python 2.7.14
$ python3 --version
-bash: python3: command not found
$ aws --version
aws-cli/1.15.83 Python/2.7.14 Linux/4.14.77-70.59.amzn1.x86_64 botocore/1.10.82

In the above example, Python 2.x is installed and the AWS CLI is installed, but using Python 2.x. That's exactly what we don't want.

Installing Python 3.5+

Linux:
Mac OS X:
Windows:
Virtual Environment:

Installing AWS CLI

Use the standard instructions from AWS to install the AWS CLI, but be sure that once you have the AWS CLI installed, it is using Python 3.5+.

Linux:
Mac OS X:
Windows:
Virtual Environment:

Install and Configure awscli-login

Don't bother trying to install or use the awscli-login tool until your installed version of the AWS CLI reports that it is using Python 3.5+.

Using pip

$ pip install awscli-login
...
$ aws configure set plugins.login awscli_login
...
$ aws login configure
ECP Endpoint URL [None]: https://shibidp-test.cit.cornell.edu/idp/profile/SAML2/SOAP/ECP
Username [None]: <YOUR NETID>
Enable Keyring [False]:
Duo Factor [None]:
Role ARN [None]:
$