27

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

Comments
  • 1
    Cookies... All secure? Otherwise you can have a lot of trouble ahead...
  • 1
    @IntrusionCM What kind of trouble? I'm not copying or saving the cookie, just reading it in memory to make the post request.
  • 2
    @bananaerror https://en.m.wikipedia.org/wiki/...

    I'm not entirely sure if some browser started requiring secure cookies by default or if it was planned.

    Pretty sure Chrome break something at / around v80 with Same Site if I remember correctly
  • 1
    @IntrusionCM Insightful, thanks. Not sure if it's secure, but my requests are all HTTPS. I'll🤞 nothing goes wrong.
  • 1
    1. upgrade to AWS Cli v2
    2. AWS configure SSO
    3. AWS SSO login
    4. pip install aws-export-credentials
    5. aws-export-credentials -exec old-script.sh
    6. profit
  • 1
    Also, make sure all of your AWS SDK dependencies are up to date. Some of the newer versions support the AWS SSO methods natively with no need to used the export credentials hack.
  • 0
    @devphobe I read about aws's native sso support while exploring my options. Using the sso method requires knowledge of app specific ids and "start page" url, which my company would never give out. thanks though. what i have now is good enough.
  • 0
    @bananaerror does your web sign on page have the AWS logo, or your
    Company logo? You don’t need app ids , just the start URL, often whatever you point your browser to.
  • 0
    @devphobe it doesn't have aws's logo, it's got my company's. The start url requires either the alias, or the app id + .awsapps.something ... i tried finding either, looked at all requests, responses, headers ... hoping to find ANYTHING but no, nothing. It must be done server side. I gave up.
Add Comment