This repo contains code for an replacement AWS login page that provides a facility to both access the AWS web console, and access temporary credentials for use with AWS command-line tools.
You might want this if you don't use AWS IAM users, but have an AWS SAML SSO set up that provides for convenient and secure, role-based interactive access to the AWS web console, but you also want to be able to use command line tools to interact with your AWS accounts. Without this login page (or alternative) you won't be able to get credentials to provide to command tools.
This login page is only going to be useful if you have a one or more AWS accounts with one or more roles each, accessible via a SAML SSO provider. If you see a screen like the one below when you login to the AWS web console, this might be useful to you. In fact, this login page provides a replacement for the screen below.
- Package (zip) Lambda files using
make:
make package-lambda -
Get credentials for target AWS account and apply to current shell.
-
Execute Terraform against target account using `make':
make deployNote: you will be prompted for the value of the master account. Enter when prompted. You will also be prompted to confirm the
applycommand. Type "yes" when prompted.
- Update Roles' Trust Permissions
- Update all Roles' Trust Permission to include an addition SAML:aud value. This value should be the URL endpoint output from the previous step.
- Note: This may be done as part of landing zone code.
-
[Optional] Deploy the
master_account_read_role.yamlCloudFormation Stack into the master account. This will enable the ability to have metadata pulled and displayed with the account listings.- This step deploys a Role that allows users read access to AWS Organizations to pull account names and metadata tags.
make add-org-read-role MASTER_ACCOUNT_ID=<MASTER_ACCOUNT_ID> CUSTOM_AUD=<URL OUTPUT FROM DEPLOY STEP>- [Optional] Assign org read role ro users within the IdP (e.g. KeyCloak) to allow access account metadata.
This can be done manually, or - preferably - using automation via Terraform. The form of the role to assign in the IdP will likely be be <IDP_ARN>,<ROLE_ARN>.
If you have questions about this tool, a suggestion, or find a bug, please Create an Issue.
Once deployed and access by a user as part of their login flow, the page retrieves a set of temporary credentials that can be used in on the command line to interact with the AWS.
- jQuery (MIT)
- jQuery UI (MIT)
- AWS Javascript client library
- Development
- Beta
- Production/Maintenance
You're looking at it :)
This login page provides an alternative to browser mechanisms ("userscripts") and local scripts to retrieve temporary credentials. Code executes within the user's browser, invoking the AWS API over a secure HTTPS connection when retrieving temporary credentials. If the user chooses to log in to the console, server-side code will be executed that retrieves a web console token. All code executes only when explicitly invoked by the user.
If you would like to contribute, please see our CONTRIBUTING guidelines.
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.