Fork me on GitHub

Access AWS Management Console With Teleport Application Access

AWS IAM Federation using Teleport

AWS IAM Federation using Teleport

Length: 09:16

AWS Management Console Access

Teleport can automatically sign your users into the AWS management console with appropriate IAM roles.

This guide will explain how to:

  • Connect your AWS account(s) to Teleport.
  • Set up example AWS IAM Read Only and Power User roles.
  • Use Teleport's role-based access control with AWS IAM roles.
  • View Teleport users' AWS console activity in CloudTrail.
  • Access the AWS Command Line Interface (CLI) through Teleport.


  • A running Teleport cluster, either self hosted or in Teleport Cloud.
  • A Teleport Node with Application Access enabled. Follow the Getting Started or Connecting Apps guides to get it running.
  • IAM permissions in the AWS account you want to connect.
  • AWS EC2 or other instance where you can assign a IAM Security Role for the Teleport Agent.
  • aws command line interface (CLI) tool in PATH. Installing or updating the latest version of the AWS CLI

If using the Teleport agent deployed in AWS EKS, you cannot use Helm chart annotations to specify the IAM permissions; you must associate the policy with the cluster role for the worker nodes. Otherwise, you will receive "400 Bad Request" errors from AWS.

Step 1. [Optional] Configure Read Only and Power User roles

AWS provides the ReadOnlyAccess and PowerUserAccess IAM policies that can be incorporated into roles. Skip this step if you already have the roles you want to provide access to.


These policies may provide too much or not enough access for your intentions. Validate these meet your expectations if you plan on using them.

Create the example Read Only role

Go to the IAM -> Access Management -> Roles. Press Create Role.

Create Role Step 1

Select the ReadOnlyAccess policy

Press Next and Select the ReadOnlyAccess. Sorting the Policy Name table from Z-A will make it faster to select.

Select Role Step 2

Press next through the tags

Confirm role

Enter a role name and press create role.

Create Role Step 3

Repeat for Power User

Follow the same steps and select PowerUserAccess IAM Policy to create a ExamplePowerUser role.

Step 2. Update IAM role trust relationships


This step is only required if you are allowing access from another account. The trust relationship will already exist for the same account.

Teleport uses AWS federation to generate sign-in URLs for users, which relies on the AssumeRole API for getting temporary security credentials. You will need to update your IAM roles' "Trusted entities" to include your AWS account ID.

Go to the Roles list, pick a role and create the following trust policy for it by clicking on "Edit trust relationship" button on the "Trust relationships" tab:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:root"
      "Action": "sts:AssumeRole"

See How to use trust policies with IAM roles for more details. After saving the trust policy, the account will show as a trusted entity.

From the EC2 dashboard select Actions -> Security -> Modify IAM Role. AWS trusted entities

Do this for each IAM role your Teleport users will need to assume.

Step 3. Give Teleport permissions to assume roles

Next, create a Role using this IAM policy to allow Teleport to assume IAM roles:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "*"

You can make the policy more strict by providing specific IAM role resource ARNs in the Resource field instead of using a wildcard.

Attach this policy to the IAM role/user your Teleport application service agent is using.

AWS Attach Security Role

Step 4. Configure Teleport IAM role mapping

The next step is to give your Teleport users permissions to assume IAM roles.

You can do this by creating a role with the aws_role_arns field listing all IAM role ARNs this particular role permits its users to assume:

kind: role
version: v5
  name: aws-console-access
      '*': '*'
    - arn:aws:iam::1234567890:role/ExamplePowerUser
    - arn:aws:iam::1234567890:role/ExampleReadOnlyAccess

The aws_role_arns field supports template variables so they can be populated dynamically based on your users' identity provider attributes. See Role Templates for details.

Step 5. Register AWS console application in Teleport

Add AWS management console to your application service configuration:

  # Data directory for the Application Proxy service. If running on the same
  # node as Auth/Proxy service, make sure to use different data directories.
  data_dir: /var/lib/teleport-app
  # Instructs the service to load the join token from the specified file
  # during initial registration with the cluster.
  auth_token: /var/lib/teleport-app/token
  # Proxy address to connect to. Note that it has to be the proxy address
  # because the app service always connects to the cluster over a reverse
  # tunnel.
  enabled: "yes"
  - name: "awsconsole"
  # The public AWS Console is used after authenticating the user from Teleport
    uri: ""
  enabled: "no"
  enabled: "no"
  enabled: "no"

Start the application service

sudo teleport start --config=/path/to/teleport.yaml

Note that URI must start with in order to be recognized as an AWS console.

Multiple AWS accounts

If you have multiple AWS accounts and would like to logically separate them in the UI, register an application entry for each and set aws_account_id label to the account ID:

  enabled: "yes"
  - name: "awsconsole-test"
    uri: ""
      aws_account_id: "1234567890"
      env: test
  - name: "awsconsole-prod"
    uri: ""
      aws_account_id: "0987654321"
      env: prod

When showing available IAM roles, Teleport will display only role ARNs that belong to the specific account.

Step 6. Connect to AWS console with assumed IAM role

Navigate to the Applications tab in your Teleport cluster's control panel and click on the Launch button for the AWS console application which will bring up an IAM role selector:

IAM role selector

Click on the role you want to assume and you will get redirected to the AWS management console, signed in with the selected role.

In the console's top-right corner you should see that you're logged in through federated login and the name of your assumed IAM role:

Federated login

Note that your federated login session is marked with your Teleport username.

Session Duration

If the Teleport agent is running with temporary security credentials, the management console session will be limited to a maximum of one hour.

Step 7. Use CloudTrail to see Teleport user activity

To view CloudTrail events for your federated sessions, navigate to the CloudTrail dashboard and go to "Event history".

Each Teleport federated login session uses a Teleport username as the federated username which you can search for to get the events history:


Step 8. Using AWS CLI

Before beginning this step, make sure that the aws command line interface (CLI) tool is installed in PATH. For more information, read Installing or updating the latest version of the AWS CLI.

First, log into the previously configured AWS console app on your desktop:

tsh app login --aws-role ExamplePowerUser awsconsole-test

Logged into AWS app awsconsole-test. Example AWS CLI command:

tsh aws s3 ls

The --aws-role flag allows you to specify the AWS IAM role to assume when accessing AWS API. You can either provide a role name like --aws-role ExamplePowerUser or a full role ARN arn:aws:iam::1234567890:role/ExamplePowerUser

Now you can use the tsh aws command like the native aws command-line tool:

tsh aws s3 ls

To log out of the aws application and remove credentials:

tsh app logout awsconsole-test

Next steps