Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin

Background

The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User, AssumeRole or the FederationToken methods. However these API keys cannot be used for AWS Console login, having to rely on SSO configurations to be in place. What if there was a way to generate a short lived AWS Console login access that is shortlived?

This plugin is an updated HashiCorp AWS Secret Engine that will generate an AWS Console login for assumed roles.

This method only works for for AWS STS AssumeRole and GederFederationToken API operations.

For more information on this, see here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html

Getting Started

Assuming that you have an existing go environment, clone the repository and build the plugin with make command.

Update the parameters in the Makefile:

    access_key=<AWS_ACCESS_KEY_ID>
    secret_key=<AWS_SECRET_ACCESS_KEY>
    role_arns=<AWS_ROLE_ARN>

These are required by the updated AWS Secret Engine to assume the role correctly. Once parameters are updated:

make enable

This will mount the secret engine and configure it accordingly. To test the plugin:

make deploy
vault write awsnew/sts/deploy ttl=60m
Key                Value
---                -----
lease_id           awsnew/sts/deploy/AXIopURRZWzOBk1YmWQTa7Lu
lease_duration     59m59s
lease_renewable    false
access_key         ASIAU5RVXXXXXXZYQYBN
arn                arn:aws:sts::111111111:assumed-role/vault-s3readonly/vault-token-deploy-1643010300-4YGjNyzrzhIxMWl9KrBK
console_login      https://signin.aws.amazon.com/federation?Action=login&Issuer=Example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=bDs28RNlOWnHwjncvZY_nvyTlFgNqwGM6PREbQOxG-QITf82Z25QFiajOB32E5NsQKfAMK0x16zeVq1vu7xEzgqDBv3XZM57BxsQiXoqs9IovqsYZn7qquPvK-YY2iHtrNH1ZEpgx6ZVeoy3hFD5oXaHTNOD-PiAKef4wNGKcwWYFSwJsWfhu1UXViM1Kfh9-Njpt_4ITljWJW0XYt7ye2M_QWNg1rNvy07LckdgljAYZoc3F_Mi59m_ZGCelP1fDY2PU4RuTppmTfXCaZglpDKpnUxHvM
secret_key         Zy/34GYYYYYYYYYYYYftmjRzSOKicQ+nwlwdkzTV
security_token     FwoGZXIvYXdzEFkaDBb8h0Jf+2A7EIfKoSLWAQNW7UHlrVA8FkOZZZZZZZZZZZZHvft7yWZRkrZpbIj1A0sWqm/ldXlfsmXffFh46QVlphJeG03JeOLSwaxyMV+mMsb9K4cf5Ovan9P7gpS8hKk/ZKLIhgXRvrZPZ+W7CiMDNEAa+y+8EmcRVJtCTsaV9RJ4r1uvgLzVHpF7iIgQMsFwLH4rpQD

You will see a new field, console_login. Copy this to your browser, you should able to login to the AWS Console with the corresponding role.

Similar Resources

Go-archvariant - Go package for determining the maximum compatibility version of the current system

go-archvariant Go package for determining the maximum compatibility version of t

Feb 19, 2022

Self-service account creation and credential reset for FreeIPA

Self-service account creation and credential reset for FreeIPA

Auri Auri stands for: Automated User Registration IPA Auri implements self service account creation and reset of credentials for FreeIPA Features Requ

Dec 21, 2022

Easy creation of review tasks for the Jira with a Discord notifications.

easy-jira-task-review Easy creation of review tasks for the Jira with a Discord notifications. Any ideas and help are welcome Installation Install go

Dec 1, 2022

Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022

A package for access aws service using AWS SDK for Golang

goaws 🚀 A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021

Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022

OpenAPI specification and related artifacts for HashiCorp Nomad

Overview This repository contains the HashiCorp Nomad OpenAPI specification and related artifacts. The OpenAPI specification defines a machine-readabl

Dec 14, 2022

koanfenv provides koanf callbacks that translate environment variables to koanf keys.

koanfenv koanfenv provides callbacks which convert environment variables to koanf keys. These callbacks are used for env.Provider . Usage config := st

Dec 12, 2021

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

May 7, 2022
Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh ?? on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Jan 6, 2023
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Dec 20, 2022
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Feb 12, 2022
lightweight, self-service AWS IAM management
lightweight, self-service AWS IAM management

Contents Overview Architecture Prerequisites Workflow What groups exist? Who do I ask for access? What groups am I in? How do I add group members? How

Jan 16, 2022
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022
Send IAM-signed requests to AppSync and API Gateway

golang-iam-requests Provides helpers to send IAM-signed requests to AWS AppSync and AWS API Gateway services Generates a v4 sign using IAM credentials

Apr 21, 2022
A API scanner written in GOLANG to scan files recursively and look for API keys and IDs.

GO FIND APIS _____ ____ ______ _____ _ _ _____ _____ _____ _____ / ____|/ __ \ | ____|_ _| \ | | __ \ /\ | __ \_

Oct 25, 2021
A Pulumi multi language component to create an IAM role for an EKS cluster

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to create a Pulumi component provider written in Go. You can search-replace

Oct 27, 2021
No need for IAM users when we have Yubikeys

cloudkey As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS, e

Dec 5, 2022
🔗 Generate a temporary login URL for the AWS Console

AWS Console ?? Generate a temporary login URL for the AWS Console Installation Prebuilt binaries for several architectures can be found attached to an

Dec 20, 2022