kdaily
commented
4 years ago Something like this? Looks like it's possible with an example using boto3:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
Open janborch opened 5 years ago
kdaily
commented
4 years ago Something like this? Looks like it's possible with an example using boto3:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
stilvoid
commented
3 years ago 
magJ
commented
3 years ago Thanks @stilvoid works pretty well.
ckabalan
commented
3 years ago I'm working on a PR for this over at https://github.com/ckabalan/aws-cli/tree/get-signin-url . I have it working with the following documentation. I still need to do quite a bit of code-quality cleanup (error handling, edge cases, tests, line wrapping, etc), but the core functionality is there.
Feedback on the command structure would be great. I plan on submitting a PR for some official feedback in the next few days. I'm interested in the open-browser functionality, but not sure if this violates some of the core design principals of the AWS CLI? Does it do that kind of thing anywhere else? Not that I know of.
NAME
signin -
DESCRIPTION
Generate a sign-in URL for the AWS Management Console using temporary
credentials.
This command MUST be invoked with a profile containing temporary cre-
dentials. The profile may not contain long-term credentials including
aws_access_key_id and aws_secret_access_key.
This command is used to provide AWS Management Console access to a set
of assumed role credentials. A typical workflow allows for a AWS IAM
User without direct console access to assume a role, then run this
signin command to generate a URL allowing sign-in to the AWS Management
Console. Typically this command will be used when an AWS IAM User has
an Access Key and Secret Access Key, no console login password, but
access to assume a role.
The following credential configuration also allows for transparent role
assumption:
[my_user]
aws_access_key_id = AKIAABCDEFGHIJKLMNOP
aws_secret_access_key = ...
[my_role]
role_arn = arn:aws:iam::012345678910:role/my_role
role_session_name = example-session-name
source_profile = my_user
duration_seconds = 43200
Generating a sign-in URL for the AWS Management Console can then be
performed with:
aws --profile my_role signin
For more information on this process, see Enabling custom identity bro-
ker access to the AWS console in the AWS Identity and Access Management
User Guide.
See 'aws help' for descriptions of global parameters.
SYNOPSIS
signin
[--session-duration <value>]
[--destination-url <value>]
[--issuer-url <value>]
[--partition <value>]
OPTIONS
--session-duration (integer)
Specifies the duration of the console session. This is separate from
the duration of the temporary credentials that you specify using the
DurationSeconds parameter of an sts:AssumeRole call. You can specify
a --session-duration maximum value of 43200 (12 hours). If the
--session-duration parameter is missing, then the session defaults
to the duration of the credentials of the profile used for this com-
mand (which defaults to one hour).
See the documentation for the sts:AssumeRole API for details about
how to specify a duration using the DurationSeconds parameter. The
ability to create a console session that is longer than one hour is
intrinsic to the getSigninToken operation of the federation end-
point.
--destination-url (string)
URL for the desired AWS console page.
To provide this value you will need to set the config option
cli_follow_urlparam to false.
--issuer-url (string)
URL for your internal sign-in page.
To provide this value you will need to set the config option
cli_follow_urlparam to false.
--partition (string)
The AWS partition for the signin URLs.
o AWS = aws.amazon.com
o AWS_US_GOV = amazonaws-us-gov.com
o AWS_CN = amazonaws.cn
See 'aws help' for descriptions of global parameters.
EXAMPLES
To generate an AWS Management Console signin URL with the default pro-
file:
$ aws signin
To generate an AWS Management Console signin URL with the my_role pro-
file:
$ aws --profile my_role signin
To go directly to the CloudFormation service page after login:
$ aws signin --destination-url https://console.aws.amazon.com/cloudformation/home
To generate a signin link to AWS GovCloud:
$ aws signin --partition AWS_US_GOV
benkehoe
commented
2 years ago I've done this for AWS SSO specifically with aws-sso-util console. One aspect of it that I'd like to see if it's implemented in the AWS CLI is the ability to package up the set of configuration options into an easily-shareable token (i.e., a token containing configuration, not credentials). This probably only works for AWS SSO configuration, but it makes it easy to provide that to a colleague where it will use their credentials but bring them to a particular console page for a particular account and role.
ottokruse
commented
2 years ago Here's a stand-alone snippet for Python that works: https://gist.github.com/ottokruse/1c0f79d51cdaf82a3885f9b532df1ce5
tim-finnigan
commented
2 years ago Related issue: https://github.com/aws/aws-cli/issues/7547
ChrisTowles
commented
2 months ago if anyone wants a Node Version here is mine.
deyvsh
Add feature to the awscli to generate a federated console login url : https://signin.aws.amazon.com/federation ?Action=login?XXXXXXX based on the profile passed as parameter to the awscli. Or even better generate the url and open the default OS browser
even more interesting with the the SSO integration in awscli v2