Skip to content

AWS CLI Authentication via JumpCloud

Project: arlyn-docs (ArlynLabs/arlyn-docs)
Date: May 2026

This page explains how to authenticate to AWS from your terminal so you can issue CLI commands. It extends Arlyn's existing JumpCloud → AWS SAML federation — the same identity flow used for console access — to your local machine using a tool called saml2aws.

How It Works

When you click the AWS tile in the JumpCloud portal, JumpCloud issues a SAML assertion that AWS exchanges for a temporary session. saml2aws automates this same flow from the command line:

saml2aws login  →  JumpCloud (SAML assertion)  →  AWS STS  →  ~/.aws/credentials

saml2aws uses your personal JumpCloud credentials to authenticate. Temporary credentials are then written to your local ~/.aws/credentials file and are valid for 6 hours, matching the session duration configured in JumpCloud.

Prerequisites

  • You have been added to a JumpCloud group that grants access to an AWS application tile
  • You have AWS CLI v2 installed — download here

One-Time Setup

1. Install saml2aws

macOS 

brew install saml2aws

Linux 

CURRENT=$(curl -Ls https://api.github.com/repos/Versent/saml2aws/releases/latest \
  | grep 'tag_name' | cut -d'"' -f4 | sed 's/v//')
curl -Lo saml2aws.tar.gz \
  https://github.com/Versent/saml2aws/releases/download/v${CURRENT}/saml2aws_linux_amd64.tar.gz
tar -xzf saml2aws.tar.gz && sudo mv saml2aws /usr/local/bin/

2. Configure saml2aws

Run the following and follow the prompts:

saml2aws configure \
  --url https://sso.jumpcloud.com/saml2/awsconsole

This writes a configuration file to ~/.saml2aws. You only need to do this once per machine.

Daily Usage

Log in

saml2aws login

You will be prompted for your JumpCloud username and password. If your JumpCloud account is mapped to more than one AWS role, you will be presented with a role selection prompt — this mirrors the role picker shown in the browser console flow.

Temporary credentials are written to ~/.aws/credentials under the profile named saml by default.

Run CLI commands

# Use the saml profile explicitly
aws s3 ls --profile saml

# Or set it as the default for your current terminal session
export AWS_PROFILE=saml
aws s3 ls

Re-authenticate

Sessions expire after 6 hours. When you see an ExpiredTokenException error, run saml2aws login again.

Troubleshooting

Error Cause Fix
ExpiredTokenException or InvalidClientTokenId Session has expired Run saml2aws login
AccessDenied IAM role lacks permission for the action Contact your administrator
Role not appearing in selection list Not a member of the relevant JumpCloud group Contact your administrator to verify group membership
saml2aws: command not found Binary not on PATH Verify installation and that /usr/local/bin is in your $PATH