I configured federated access to AWS for my team to use Google apps as IdP.
Now, I want to enable them to use awscli and generate credentials using saml2aws
I run saml2aws configure
and entered the right URL and how and I'm able to authenticate when running saml2aws login --role=....
. But I get a constant errors such as -
Failed to assume role. Please check whether you are permitted to assume the given role for the AWS service
and -
Error logging into AWS role using SAML assertion.: Error retrieving STS credentials using SAML.: InvalidIdentityToken: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: <...>; Proxy: null)
status code: 400, request id: <...>
I don't know if I need to configure something different on the AWS
or saml2aws
side (login from the web UI works perfectly).