Home > Net >  Calling AWS web services using extracted HTTP auth headers from Web Console session, AWS_ACCESS_KEY_
Calling AWS web services using extracted HTTP auth headers from Web Console session, AWS_ACCESS_KEY_

Time:12-24

So I got into a situation working for a client which does not provide in any way AWS_ACCESS_KEY_ID as security protection. We have only available for development AWS Web Console. So I started searching for another way of the programmatic script(speed-up) my dev tasks.

Note: we cannot use AWS client without AWS_ACCESS_KEY_ID and secret.

My assumptions: If the AWS web console can do the same thing as aws cli (.eg create bucket, load data into bucket, etc.), why not use web console auth mechanism (visible in http request headers) and bind it to aws cli (or some other api call code) to make it work even without aws keys?

Question: Is this possible? For sure I can see in http headers following artifacts:

aws-session-token aws-session-id awsccc and dozen of others...

My idea is to automate this by:

  1. Go to the web console and login have a script that will automatically output from browser session required parameters to some text file
  2. Use this extracted information by some dev script

If this is not supported or impossible to achieve with aws cli, can I use some SDK or raw AWS Api calls with extracted information?

I can extract SAML content which has above mentioned aws-creds header also I see oauth client call with following headers:

https://signin.aws.amazon.com/oauth?
client_id=arn:aws:signin:::console/canvas&
code_challenge=bJNNw87gBewdsKnMCZU1OIKHB733RmD3p8cuhFoz2aw&
code_challenge_method=SHA-256&
response_type=code&
redirect_uri=https://console.aws.amazon.com/console/home?fromtb=true&isauthcode=true&state=hashArgsFromTB_us-east-1_c63b804c7d804573&
X-Amz-Security-Token=hidden content&
X-Amz-Date=20211223T054052Z&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=ASIAVHC3TML26B76NPS4/20211223/us-east-1/signin/aws4_request&
X-Amz-SignedHeaders=host&
X-Amz-Signature=3142997fe7212f041ef90c1a87288f53cecca9236098653904bab36b17fa53ef

Can I use it with AWS SDK somehow?

CodePudding user response:

To reset an S3 bucket to a known state, I would suggest looking at the AWS cli s3 sync command and the -delete switch. Create a "template" bucket with your default contents, then sync that bucket into your Dev Bucket to reset your Dev bucket.

As for your key problems, i would look at IAM Roles rather trying to hack the console auth.

As to how to run the AWS CLI, you have several options. It can be done from Lambda, ECS (containers running on your own Ec2) or an ec2 instance. All 3 allow you to attach an IAM role. That role can have policies attached (for your S3 bucket) - but there is no key to manage.

CodePudding user response:

Thx for feedback to @MisterSmith! It kinda helped with follow up.

I have found also SAML call during analysis of Chrome traffic from login page to AWS console, I have found this project: https://github.com/Versent/saml2aws#linux

Which extracted all ~/.aws/credentials variables needed for aws cli to work.

  • Related