Fun fact: In the AWS Console, you can set up SAML for users to log in. Instead of logging in as a specific IAM User, they are "logged in" to a specific IAM Role. You could almost say that their SAML login is "bound" to that IAM Role.

It is also possible for the IdP to tell AWS that this user is eligible to "bind" to multiple IAM Roles; the user selects which role to bind to after authenticating with the IdP. CloudTrail logs will include the IAM Role, and the identifier of the individual bound to that role. So if you already have a SAML IdP, you might not need a separate authority (like a Vault installation) to give temporary credentials to people.

The only annoying thing, is that the SAML login to the AWS Console is _not_ SP-initiated, it is IdP-initiated. It is more formally known as an Unsolicited SSO (in that the SP is suddenly getting a SAML assertion it did not ask for). So you have to know the correct way to initiate this on your IdP. In our case, browsing to https://aws-console-idg.stanford.edu redirects you to https://idp.stanford.edu/idp/profile/SAML2/Unsolicited/SSO?p..., which starts the Unsolicited SSO.

You also need to configure your IdP to include some AWS-specific SAML attributes in the response, telling AWS what role(s) the user is allowed to use. This can be annoying, but in our case the group managing the IdP simply scripted it, so adding a new IAM Role is not a big hassle.

Information on how to configure this—for both the AWS side and the IdP side—is available at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_pr...

We've been using SAML to log in to AWS for the better part of a year now and it's been pretty good for us.

When logging in, you assume a role (sts:AssumeRoleWithSAML), I'm surprised you did not mention the worst part: logging in to the CLI with this. You either have to manually input the returned SAML assertion to the AWS cli[1], but luckily there is a tool called saml2aws[2] to do this with the majority of identity providers.

saml2aws sadly didn't have proper support for assuming many roles at once, so we even ended up writing our own tool for this.

This is something AWS has completely ignored so far and I am not aware of any progress towards a better CLI experience.

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/aws-c...

[2]: https://github.com/Versent/saml2aws