Let's say I'm logged in into my AWS CLI tool with a particular account and I can execute commands like
aws ecr describe-repositories
Is there a AWS CLI command which opens up the AWS Management Console website on the default browser, already logged in in the same account?
E.g.: something like
aws web
Thanks!
CodePudding user response:
While there is no such cli command inbuilt into aws cli. You can provide users with the direct access to the AWS Management Console if they have valid STS session IAM credentials (access and secret keys). You can read about the process of using getSigninToken action to generate pre-signed AWS console URL in exchange for your IAM creds here.
The python code example
import urllib, json, sys
import requests # 'pip install requests'
import boto3 # AWS SDK for Python (Boto3) 'pip install boto3'
# Step 1: Authenticate user in your own identity system.
# Step 2: Using the access keys for an IAM user in your AWS account,
# call "AssumeRole" to get temporary access keys for the federated user
# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
# and secret access key of an IAM user or using existing temporary credentials.
# The credentials can be in Amazon EC2 instance metadata, in environment variables,
# or in a configuration file, and will be discovered automatically by the
# client('sts') function. For more information, see the Python SDK docs:
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#STS.Client.assume_role
sts_connection = boto3.client('sts')
assumed_role_object = sts_connection.assume_role(
RoleArn="arn:aws:iam::account-id:role/ROLE-NAME",
RoleSessionName="AssumeRoleSession",
)
# Step 3: Format resulting temporary credentials into JSON
url_credentials = {}
url_credentials['sessionId'] = assumed_role_object.get('Credentials').get('AccessKeyId')
url_credentials['sessionKey'] = assumed_role_object.get('Credentials').get('SecretAccessKey')
url_credentials['sessionToken'] = assumed_role_object.get('Credentials').get('SessionToken')
json_string_with_temp_credentials = json.dumps(url_credentials)
# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters = "&SessionDuration=43200"
if sys.version_info[0] < 3:
def quote_plus_function(s):
return urllib.quote_plus(s)
else:
def quote_plus_function(s):
return urllib.parse.quote_plus(s)
request_parameters = "&Session=" quote_plus_function(json_string_with_temp_credentials)
request_url = "https://signin.aws.amazon.com/federation" request_parameters
r = requests.get(request_url)
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.text)
# Step 5: Create URL where users can use the sign-in token to sign in to
# the console. This URL must be used within 15 minutes after the
# sign-in token was issued.
request_parameters = "?Action=login"
request_parameters = "&Issuer=Example.org"
request_parameters = "&Destination=" quote_plus_function("https://console.aws.amazon.com/")
request_parameters = "&SigninToken=" signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" request_parameters
# Send final URL to stdout
print (request_url)
I've also written AWS plugin back in the days that does exactly that you need but it does not work with aws cli v2
https://github.com/b-b3rn4rd/awscli-console-plugin
CodePudding user response:
This does not exist. Credentials used for AWS CLI and for Console access are different.
For CLI you use Access key and Secret key.
For Console access (through a web browser) you use username and password.
It is possible that in an AWS account you have programmatic access but do not have console access.