Introduction
Many of us have an Active Directory and you might want to be able to login to the AWS Console using your Active Directory accounts. This can be done quite easily with the AWS’ Active Directory Connector. It has all the bits and pieces you need to get started and it’s quite inexpensive – around $40 per month at the time of writing for the small version which supports up to 500 users.
Building blocks
I’m assuming you already have an Active Directory in place. In this case I’ve set up an AD on EC2. The AD Connector will then act as a proxy to your AD. It also provides a login page that will authenticate against your AD. You will mapp AD groups (or users) to IAM roles.
Active Directory
I have created an Active Directory called cristian-contreras.local. For the purpose of this demo it sits on a single Domain Controller on an EC2 instance. It’s pretty much blank apart from the following:
- User ‘Cristian’ which is my demo user that we will login to the AWS console with.
- A group called ‘EC2ReadOnly’ that the user above is member of and is what we will map to an IAM role.
- User called ‘DSConnectorService’ which is the user that the AD Connector service will use to connect to the AD. It does not require any special permissions, just a plain user.
AWS AD Connector
The AD Connector is an AWS service that is probably best described by AWS’ own words:
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud
It also makes it possible to map IAM roles to Active Directory groups (or users) and can even set up a login page for your AD users. Check out the documentation for more details about the service.
Setting it up
I’m assuming you already have an Active Directory. Let’s start with setting things up there. First of all, I’ve created a user for myself called ‘Cristian’ that is member of a group called ‘EC2ReadOnly’. This is the user that I will use to login to the AWS Console and the group is what will give it access.
We then need a user that the AD Connector can use to talk to the AD with. This is a plain user, not special permissions required.
We now have everything on the AD side. Before we create the connector, we must make sure that it will be able to talk to our DCs. The AD Connector will have IP addresses in your VPC. I’ve created the following Security Group that my Domain Controller is member of.
Now we can create the AD Connector. I’m using the small version which supports up to 500 users. If you have a larger AD you can choose the large one which supports up to 5000 users.
You can choose where in the network it should sit. I’m just using the default VPC for this demo.
After a few minutes it will be created. Now you can create the login page. Go in to to your AD Connector and create an access URL first. You can then enable the AWS Management Console.
You can then create the mapping between your Active Directory groups (or users) to IAM roles. This is how mine looks. It says AD group EC2ReadOnly maps to IAM role EC2ReadOnly
Putting it to work
Go to the URL you chose, mine is called https://criconmun.awsapps.com/console, and you will get a login prompt. I’m logging in with my user called ‘Cristian’.
You will then be logged in to the AWS Console with the permissions of the role you specified in the AD to IAM role mapping. Note that it says EC2ReadOnly/cristian as the logged in user in the upper right hand corner.
Conclusion
AWS has made it really simple to set this up using the AD Connector. It didn’t take me more than 30 minutes in total. It is also quite affordable. A small connector supporting up to 500 users for around $40 per month. I think this is quite a reasonable solution for people that only occasionally log in to the AWS Console and maybe also with limited permissions.