Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

Related tags

Public API Wrappers aws-console-plugin
Overview

aws-console-plugin

Background

The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User, AssumeRole or the FederationToken methods. However these API keys cannot be used for AWS Console login, having to rely on SSO configurations to be in place. What if there was a way to generate a short lived AWS Console login access that is shortlived?

This plugin is an updated HashiCorp AWS Secret Engine that will generate an AWS Console login for assumed roles.

This method only works for for AWS STS AssumeRole and GederFederationToken API operations.

For more information on this, see here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html

Getting Started

Assuming that you have an existing go environment, clone the repository and build the plugin with make command.

Update the parameters in the Makefile:

    access_key=<AWS_ACCESS_KEY_ID>
    secret_key=<AWS_SECRET_ACCESS_KEY>
    role_arns=<AWS_ROLE_ARN>

These are required by the updated AWS Secret Engine to assume the role correctly. Once parameters are updated:

make enable

This will mount the secret engine and configure it accordingly. To test the plugin:

make deploy
vault write awsnew/sts/deploy ttl=60m
Key                Value
---                -----
lease_id           awsnew/sts/deploy/AXIopURRZWzOBk1YmWQTa7Lu
lease_duration     59m59s
lease_renewable    false
access_key         ASIAU5RVXXXXXXZYQYBN
arn                arn:aws:sts::111111111:assumed-role/vault-s3readonly/vault-token-deploy-1643010300-4YGjNyzrzhIxMWl9KrBK
console_login      https://signin.aws.amazon.com/federation?Action=login&Issuer=Example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=bDs28RNlOWnHwjncvZY_nvyTlFgNqwGM6PREbQOxG-QITf82Z25QFiajOB32E5NsQKfAMK0x16zeVq1vu7xEzgqDBv3XZM57BxsQiXoqs9IovqsYZn7qquPvK-YY2iHtrNH1ZEpgx6ZVeoy3hFD5oXaHTNOD-PiAKef4wNGKcwWYFSwJsWfhu1UXViM1Kfh9-Njpt_4ITljWJW0XYt7ye2M_QWNg1rNvy07LckdgljAYZoc3F_Mi59m_ZGCelP1fDY2PU4RuTppmTfXCaZglpDKpnUxHvM
secret_key         Zy/34GYYYYYYYYYYYYftmjRzSOKicQ+nwlwdkzTV
security_token     FwoGZXIvYXdzEFkaDBb8h0Jf+2A7EIfKoSLWAQNW7UHlrVA8FkOZZZZZZZZZZZZHvft7yWZRkrZpbIj1A0sWqm/ldXlfsmXffFh46QVlphJeG03JeOLSwaxyMV+mMsb9K4cf5Ovan9P7gpS8hKk/ZKLIhgXRvrZPZ+W7CiMDNEAa+y+8EmcRVJtCTsaV9RJ4r1uvgLzVHpF7iIgQMsFwLH4rpQD

You will see a new field, console_login. Copy this to your browser, you should able to login to the AWS Console with the corresponding role.

You might also like...
Go-archvariant - Go package for determining the maximum compatibility version of the current system

go-archvariant Go package for determining the maximum compatibility version of t

Tõnis Tiigi 6 Feb 19, 2022
Self-service account creation and credential reset for FreeIPA
Self-service account creation and credential reset for FreeIPA

Auri Auri stands for: Automated User Registration IPA Auri implements self service account creation and reset of credentials for FreeIPA Features Requ

null 14 Dec 21, 2022
Easy creation of review tasks for the Jira with a Discord notifications.

easy-jira-task-review Easy creation of review tasks for the Jira with a Discord notifications. Any ideas and help are welcome Installation Install go

Vasyl Naumenko 5 Dec 1, 2022
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Rohan Verma 95 Nov 4, 2022
A package for access aws service using AWS SDK for Golang

goaws 🚀 A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Muhammad Ichsanul Fadhil 1 Nov 25, 2021
Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

null 2 Nov 24, 2022
OpenAPI specification and related artifacts for HashiCorp Nomad

Overview This repository contains the HashiCorp Nomad OpenAPI specification and related artifacts. The OpenAPI specification defines a machine-readabl

HashiCorp 48 Dec 14, 2022
koanfenv provides koanf callbacks that translate environment variables to koanf keys.

koanfenv koanfenv provides callbacks which convert environment variables to koanf keys. These callbacks are used for env.Provider . Usage config := st

Wade Zhang 0 Dec 12, 2021
Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Emilio del Cañal Calleja 4 May 7, 2022
Owner
null
GitHub
Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh ?? on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Patrick Kilgore 4 Jan 6, 2023
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Ari Palo 19 Dec 20, 2022
Assume AWS IAM roles from GitHub Actions workflows with no stored secrets

AWS IAM roles for GitHub Actions workflows Background and rationale GitHub Actions are a pretty nice solution for CI/CD. Where they fall short is inte

Glass Echidna 171 Feb 12, 2022
lightweight, self-service AWS IAM management

Contents Overview Architecture Prerequisites Workflow What groups exist? Who do I ask for access? What groups am I in? How do I add group members? How

Mike Hoskins 0 Jan 16, 2022
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Lucas Ferreira 3 Aug 17, 2022
Send IAM-signed requests to AppSync and API Gateway

golang-iam-requests Provides helpers to send IAM-signed requests to AWS AppSync and AWS API Gateway services Generates a v4 sign using IAM credentials

Aurélien 1 Apr 21, 2022
A API scanner written in GOLANG to scan files recursively and look for API keys and IDs.

GO FIND APIS _____ ____ ______ _____ _ _ _____ _____ _____ _____ / ____|/ __ \ | ____|_ _| \ | | __ \ /\ | __ \_

Sreekanth Sasi 3 Oct 25, 2021
A Pulumi multi language component to create an IAM role for an EKS cluster

xyz Pulumi Component Provider (Go) This repo is a boilerplate showing how to create a Pulumi component provider written in Go. You can search-replace

Lee Briggs 0 Oct 27, 2021
No need for IAM users when we have Yubikeys

cloudkey As far as I can tell, the only justification for AWS IAM users that I hear nowadays is for usage on non-interactive systems outside of AWS, e

Aidan Steele 149 Dec 5, 2022
🔗 Generate a temporary login URL for the AWS Console

AWS Console ?? Generate a temporary login URL for the AWS Console Installation Prebuilt binaries for several architectures can be found attached to an

Josh Komoroske 8 Dec 20, 2022