Back to list of posts

VT SAML/AWS Integration with Terraform

Posted Aug 9, 2021 by Michael Irwin

If you have a Virginia Tech AWS account, you’ll realize there isn’t much pre-configured on the account (we’re working to change that though). To ensure proper security of the account, you should leverage the VT Login system! Why?

  • No local accounts means no credentials to be compromised
  • Easier on-boarding! Simply add new people to the appropriate ED groups and they have access to the cloud accounts
  • Accounts are tied to the VT account lifecycle. If someone leaves your team, you know their access to the cloud accounts has also been revoked

Some Prerequisites

The only requirement is to create ED groups for the various accounts/roles you want. A couple of things to keep in mind regarding your groups:

  • The ED group and AWS role will exactly match. If you have a group named that you want to use, your AWS role will use the same name.
  • The same ED group can be used for multiple accounts. But, you can’t use the same ED group for multiple roles in the same account.
  • It might be wise to include a reference to the account name in the group, letting you create roles per account. For example, might indicate admins of the 123456789012 account. Since the numbers are often hard to remember, you can also use an account alias (such as
  • Nested groups are not currently flattened through the SAML process. While the ED allows groups to be members of other groups, members of the children groups are not exposed as members of the parent group in the SAML flow. You will need to explicitly add children group members to the parent group (or use the Terraform provider which we’ll write about soon)

Defining the SAML Provider and Roles

To make things easier, we have create a AWS VT Auth Integration Terraform module that will create the provider and the appropriate roles in your account. To use it, simply add the module to your Terraform code.

module "vt_auth" {
  source = ""

  roles = {
    admin = ""

This will create the following:

  • The SAML Identify Provider with all of the necessary metadata for VT Login
  • An IAM role named

The Terraform module provides all of the roles as module outputs, letting you easily attach policies on what that role can do. The roles are referenced using the keys listed in the roles map. As an example, we are going to give the admin role listed above the AWS-managed AdministratorAccess policy. You are welcome to create your own policies and attach them as you see fit.

resource "aws_iam_role_policy_attachment" "sample_attachment" {
  role = module.vt_auth.roles["admin"].name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"

Final Configuration and Access

Once the roles are defined, you need to notify Middleware of the account/roles being used. They will then perform the necessary configuration to ensure you can use the ED groups. Instructions to notify Middleware can be found here.

Afterwards, you can login using the following link. You’ll be presented with a page letting you choose the role you wish to assume:

AWS SAML Login page showing several roles the user can assume across various accounts

AWS SAML Login page showing several roles the user can assume across various accounts

Next Steps

Now that you have SAML-based auth on your AWS account, how do you configure your local AWS client? Hold tight, as another blog post is coming about that!