All posts
September 5, 20252 min read

Integrating AWS CLI with Azure Active Directory for Seamless Multi-Cloud Access Control

The AWS CLI froze, and the team stared at the screen. The issue wasn’t a network hiccup. It was permissions. Azure AD stood in the way, and integration with AWS access control wasn’t playing nice. Connecting AWS CLI with Azure Active Directory Access Control is a problem that shows up in every serious multi-cloud setup. AWS Identity and Access Management (IAM) and Azure AD operate in their own worlds. Getting them to trust each other is what unlocks a seamless workflow for authentication, autho

Free White Paper

Active Directory + AWS Control Tower: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The AWS CLI froze, and the team stared at the screen. The issue wasn’t a network hiccup. It was permissions. Azure AD stood in the way, and integration with AWS access control wasn’t playing nice.

Connecting AWS CLI with Azure Active Directory Access Control is a problem that shows up in every serious multi-cloud setup. AWS Identity and Access Management (IAM) and Azure AD operate in their own worlds. Getting them to trust each other is what unlocks a seamless workflow for authentication, authorization, and identity federation.

The goal: run AWS CLI commands with identities managed in Azure AD, without juggling temporary tokens or manual credential swaps. The method: combine AWS IAM roles with Azure AD’s OpenID Connect (OIDC) or SAML-based federation. These connections let Azure AD issue the identity, while AWS grants the right permissions automatically at runtime.

The flow is simple once it’s in place:

  1. An Azure AD user logs in with their corporate account.
  2. Azure AD issues a security token using OIDC or SAML.
  3. AWS STS assumes a pre-mapped IAM role based on the Azure-issued identity.
  4. AWS CLI commands run under that IAM role’s permissions without needing static keys.

Setting this up starts with creating an IAM role in AWS, configured for federated access. This role trusts the Azure AD identity provider. Mappings between Azure AD groups and AWS IAM roles ensure different teams receive only what they need.

Continue reading? Get the full guide.

Active Directory + AWS Control Tower: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

On the Azure side, register AWS as an enterprise application. Configure single sign-on with either SAML or OIDC, linking claims like email or groups to IAM role mappings. Passwordless login becomes possible if Azure AD is already linked with a hardware security key or other MFA method.

Finally, configure the AWS CLI to request and cache tokens from Azure AD. This can be scripted with AWS CLI v2 or tools like aws-azure-login. These scripts automate token retrieval and refresh, making the CLI experience smooth and fast.

The payoff is worth it: centralized identity, no long-lived AWS keys to rotate, and consistent logging across platforms. Security teams gain better audit trails. Developers stop wasting time swapping credentials.

Multi-cloud security integration isn’t only about logging in. It’s about trust between identity providers and service stacks. Setting it up once the right way protects every future deployment.

If you want to see AWS CLI and Azure AD access control integration running live in minutes, try it right now with hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts