Skip to main content


The aws-saml tool can be used in conjunction with the Shibboleth SAML identity provider to retrieve time-limited API keys suitable for commandline use. It interactively prompts you for your password, and if you have multiple roles available, you are prompted if not otherwise specified on the command line. The resulting credentials are normally stored in your standard AWS credential file, but a command line flag can be provided tohave the credentials output to standard output in Bash format for scripting. These credentials normally expire after one hour; by providing therefresh flag to the tool, it will fork into the background and keep the credentials refreshed as long as your login cookie remains valid.


The tool is currently stored at From here, the code can be cloned to your local machine, and installed with the command

$ pip install

from the directory containing


Once installed, basic usage is simple.

$ aws-saml -u your.username

On first usage, you will be prompted for an IDP Entry URL. For SCInet’s Shibboleth server, this is: When prompted for your password, enter your SCInet password. If prompted for a role, enter the number corresponding to the role you’d like to use for this session.

Please choose the role you would like to assume:
[ 0 ]:  arn:aws:iam::123456789012:role/SAML-proj-beta_testers
[ 1 ]:  arn:aws:iam::123456789012:role/SAML-admin
Selection: 1

Full usage documentation

usage: aws-saml [-h] [--username USERNAME] [--prompt-role] [--role ROLE]
                        [--credentials FILE] [--profile PROFILE] [--verbose]
                        [--stdout] [--refresh] [--no-ssl-verify]

Retrieve AWS credentials via SAML.optional arguments:
    -h, --help            show this help message and exit  
    --username USERNAME, -u USERNAME
                            Login username  
    --prompt-role, -R     Prompt for role selection  
    --role ROLE, -r ROLE  Desired role name  
    --credentials FILE, -c FILE
                            Destination file for AWS credentials  
    --profile PROFILE, -p PROFILE
                            AWS credential file profile  
    --verbose, -v  
    --stdout, -s          
                            Print credentials in bash format to standard output  
    --refresh             Fork into the background, keeping token fresh  
    --no-ssl-verify       Disable SSL certificate verification for IDP
(allows self-signed certificates - INSECURE)