How to Access the AWS Management Console with Only an Access Key and a Secret Token
If you are working with AWS, you might have encountered a situation where you are given only an access key and a secret token to access the AWS resources. These credentials are usually used to access the AWS Command Line Interface (CLI) or the AWS SDKs, but what if you want to use the AWS Management Console instead? The AWS Management Console is a web-based interface that provides a graphical user interface for managing AWS services. It can be very useful for exploring and experimenting with AWS features, as well as monitoring and troubleshooting your AWS applications.
However, the AWS Management Console requires a user name and password to sign in, which are different from the access key and secret token.
So how can you use the console with only these credentials?
The answer is to use the AWS Security Token Service (AWS STS) to generate a signed URL to the console. This signed URL will allow you to access the console without being prompted for a user name and password. In this article, I will show you how to do that in Python.
Step 1: Install the required packages
To generate a signed URL, we will need to use the AWS SDK for Python (Boto3) and the requests library. You can install them using pip:
pip install boto3 requestsStep 2: Configure your credentials
Before we can use Boto3, we need to configure our credentials. There are several ways to do that, such as using environment variables, configuration files, or passing them directly to the client constructor. For this example, I will use a configuration file named ~/.aws/credentials, which looks like this:
[work]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYThe [work] section defines a profile name that we can use to reference these credentials. You can have multiple profiles in this file, each with different credentials.
Step 3: Assume a role
The next step is to assume a role using the AWS STS API. A role is an entity that defines a set of permissions for accessing AWS resources. By assuming a role, you can get temporary credentials that have the permissions of that role. This is a recommended practice for accessing the AWS Management Console programmatically, as it provides more security and flexibility than using long-term credentials of an IAM user.
To assume a role, you need to know the Amazon Resource Name (ARN) of the role and provide a role session name. The ARN is a unique identifier for the role, and the role session name is an arbitrary string that you can use to identify the session. For this example, I will use a role named GMAAutomation, which has an ARN of arn:aws:iam::25773785263:role/GMAAutomation. You can create and manage roles using the IAM console or the IAM API.
To assume the role, we will use the assume_role method of the STS client in Boto3. We will also pass the profile name that we defined in the configuration file as an argument to create the client. The assume_role method will return an object that contains temporary credentials and other metadata.
import boto3 # AWS SDK for Python (Boto3) 'pip install boto3'
sts_client = boto3.Session(profile_name='work').client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn="arn:aws:iam::25773785263:role/GMAAutomation",
RoleSessionName="AssumeRoleSession",
)Step 4: Get a sign-in token
The next step is to get a sign-in token from the AWS federation endpoint. The federation endpoint is a web service that allows you to exchange temporary credentials for a sign-in token that can be used to access the console. The sign-in token is valid for up to 12 hours.
To get a sign-in token, we need to make a GET request to the federation endpoint with three parameters:
- Action: The value must be
getSigninToken. - SessionDuration: The duration of the session in seconds, up to 43200 (12 hours).
- Session: A JSON document that contains the temporary credentials that we got from assuming the role.
We will use the requests library to make the request and parse the response as JSON. The response will contain a single element named SigninToken.
import json
import requests
url_credentials = {}
url_credentials['sessionId'] = assumed_role_object.get('Credentials').get('AccessKeyId')
url_credentials['sessionKey'] = assumed_role_object.get('Credentials').get('SecretAccessKey')
url_credentials['sessionToken'] = assumed_role_object.get('Credentials').get('SessionToken')
json_string_with_temp_credentials = json.dumps(url_credentials)
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
request_parameters += "&Session=" + requests.utils.quote(json_string_with_temp_credentials)
request_url = "https://signin.aws.amazon.com/federation" + request_parameters
r = requests.get(request_url)
signin_token = json.loads(r.text)👋 Hello there, amazing readers! 📚 Thank you for taking the time to explore this article! 🙌 If you’ve enjoyed what you’ve read so far and found it valuable, I invite you to follow my Medium page for more exciting content like this. 💖 Your support means the world to me!
👏 Also, if you found this article informative, inspiring, or just plain awesome, consider giving it a round of applause (claps) by clicking the 👏 button below. Your claps encourage me to keep creating content that matters. Let’s spread knowledge and positivity together! 🚀
Thank you for being part of my community! 🌟
Step 5: Generate a signed URL
The final step is to generate a signed URL to the console using the sign-in token. The signed URL is a web address that contains the sign-in token and other parameters that specify the destination and the issuer of the URL. The signed URL must be used within 15 minutes after the sign-in token was issued.
To generate a signed URL, we need to make another GET request to the federation endpoint with four parameters:
- Action: The value must be
login. - Issuer: An optional parameter that indicates the entity that issued the URL. You can use any value for this parameter, such as your organization name or domain.
- Destination: The URL of the AWS service or resource that you want to access after signing in to the console. For example, if you want to access the EC2 console, you can use
https://console.aws.amazon.com/ec2/. - SigninToken: The sign-in token that we got from the previous step.
We will use the requests library again to make the request and get the final URL. The final URL will look something like this:
request_parameters = "?Action=login"
request_parameters += "&Issuer=Example.org"
request_parameters += "&Destination=" + requests.utils.quote("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" + request_parameters
print(request_url)Step 6: Use the signed URL
Now that we have the signed URL, we can use it to access the console.
This will launch the default web browser and open a new tab with the console. You should see something like this:
You can now use the console as if you had signed in with a user name and password. You can switch between different AWS services and regions, and perform various actions on your AWS resources. However, keep in mind that your session will expire after 12 hours, or sooner if you close the browser tab or window. If you want to extend your session, you will need to generate a new signed URL using the same steps as before.
Conclusion
In this article, I showed you how to access the AWS Management Console with only an access key and a secret token. This is a useful technique for situations where you are given only these credentials and you want to use the console instead of the CLI or SDKs. By using the AWS STS API and the AWS federation endpoint, you can generate a signed URL that will allow you to access the console without being prompted for a user name and password.
I hope you found this article helpful and informative. If you have any questions or feedback, please feel free to leave a comment below. Thank you for reading!
