Home » Appstream 2.0

Tag: Appstream 2.0

AWS AppStream 2.0 Whats New?

AWS AppStream 2.0 Whats New for June 2018?

AWS have updated AppStream 2.0 to introduce some fantastic new features in the May & June 2018 releases.

Google Drive support has been added (selectable at fleet creation). It only supports G-suite enterprise and must be enabled in G-Suite to function, but it also has support for multiple G-Suite domains.

This means clients can avoid the clumsy upload and download of files from the local device to the remote and simply log into Google Drive and have immediate access to their files within the AppStream session.

Screenshot of google drive integration for AWS AppStream 2.0
Google Drive integration for AWS AppStream 2.0




Google Drive integration within AppStream 2.0 session
Google Drive integration within AppStream 2.0 session

Here is a screenshot of the Windows Explorer integration and conveniently shows my free space as approx 8000 Petabytes! Good to know!

Google Drive AppStream 2.0 Windows Explorer integration
Google Drive AppStream 2.0 Windows Explorer integration

Support for Administrative controls have also been added (again selectable at fleet creation). Giving the administrator greater control and flexibility in the solution they deploy to the users for things like local device copy and paste, file upload or download (or upload only or download only or disabled) and local print options.

control clipboard, file transfer and print options for AWS AppStream 2.0
Selective administrative controls for AWS AppStream 2.0

Happy Clouding!

AWS AppStream 2.0 Image Builder X Drive not being created


This month on creation of a new image builder in AWS AppStream we noticed that the AWS AppStream 2.0 Image Builder X Drive was not being created.

The X drive is the temporary drive for uploading and downloading files to and from the AppStream instance, and usually where we house deployment scripts, build scripts, GPOS and installation files.


As of AppStream Image builder version Base-Image-Builder-05-02-2018 this is by design.

You should update any scripts or pointers

from “X:\Temporary Files” drive

to “C:\Users\ImageBuilderAdmin\My Files\Temporary Files”

#aws #appstream2.0


How to find an AWS AppStream 2.0 users homedrive path


AWS AppStream 2.0 generates a SHA-256 hash of the users NameID for their Home Drive – when using SAML (aka Federated) authentication. This can potentially make it difficult to find the users home share if browsing from AWS S3 or for support teams when supporting users or uploading documents to the users ‘home drive’.


In this document is an example of a federated users home drive autocreated in S3 after the user has accessed AppStream 2.0 for the first time.

This script will simply create a function in Windows powershell and allow you to generate the SHA256 hash based on the NameID and so you can discover the users homepath.

Function Get-StringHash([String] $String,$HashName = "MD5")
$StringBuilder = New-Object System.Text.StringBuilder

$myvar = Read-Host –Prompt 'Enter string to hash'
Get-StringHash $myvar "SHA256"


As we know the users NameID being passed into the AppStream session (in this instance its actually my email address)

Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

“Version”: “2012-10-17”,
“Statement”: [
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN


OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN


For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):


18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions


Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example


See AWS Documentation

21 Provide the Role ARN and Idp ARN


Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.


Okta Guide –


AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms