GovCloud Support

[pittjl]

Would be great if this worked with us-gov-west-1, which has a different urn (amazon:webservices:govcloud) and uses a different sts endpoint. I tried changing the urn in the ADFS provider and re-building, but I was still directed to the public endpoints and got a role from the public side.

[CholtonATX]

I am wondering if there's any way I can pick your brain @pittjl . I'm trying to get saml2aws to work with our govcloud org without much success. I keep getting stuck on the same error whether I specify role, URN, etc. Working fine with our main AWS org. Our IdP is JumpCloud. Any input would help.

From the error:

Requesting AWS credentials using SAML assertion InvalidIdentityToken: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException;

[mr-brody]

@CholtonATX, I'm also facing a similar problem and since this issue is closed I've created a new one.

[mr-brody]

Setting an environment variable of export AWS_REGION=us-gov-west-1 worked in my testing, which tells me that the SAML assertion is not being sent to the correct endpoint. I guess I'll need to learn some Go to fix this issue...

[mr-brody]

Update here, I seem to have missed it or it is a newer feature, but you can configure a region flag in the ~/.saml2aws config file. It worked for me using Okta as the idp. Example config below:

[aws-gov] app_id = url = username = mr-brody@somecompany.com provider = Okta mfa = Auto skip_verify = false timeout = 0 aws_urn = urn:amazon:webservices:govcloud aws_session_duration = 43200 aws_profile = gov-profile resource_id = subdomain = role_arn = region = us-gov-west-1