I'm trying to make a button in an app which automatically logs the user into the AWS console in a browser. When the user clicks the button, it should prepare a token and compose a URL and then open that URL in a new window which causes the login to happen resulting in the user being in the AWS console.
I'm using the AWS Javascript API to accomplish this (https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/top-level-namespace.html).
Specifically, i'm following the "GetFederationToken" steps described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
And using the sample code here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#getFederationToken-property
I'm using an IAM User to request the token in the first step. This user has the AdministratorAccess policy and i can successfully call the getFederatedToken API call. I get back the expected token, secret and access keys.
I then compose the URL:
AWS.config.update({
accessKeyId: "ACCESS",
secretAccessKey: "SECRET",
"region": "us-east-1",
accountID: "123456789"
});
var sts = new AWS.STS();
var params = {
Name: 'user',
DurationSeconds: 900,
Policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}"
};
var console_url = "https://console.aws.amazon.com/"
var signin_url = "https://signin.aws.amazon.com/federation"
var issuer_url = "https://myCompanyURL.com/"
sts.getFederationToken(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
}
else{
//Construct the session token
var sessionTokenJSON = {
sessionID : data.Credentials.AccessKeyId,
sessionKey : data.Credentials.SecretAccessKey,
sessionToken : data.Credentials.SessionToken
};
var sessionTokenString = JSON.stringify(sessionTokenJSON);
var encodedSessionToken = encodeURIComponent(sessionTokenString);
console.log(sessionTokenString);
//Get the SignIn Token
var signInURL = signin_url+"?Action=getSigninToken&Session="+encodedSessionToken;
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", signInURL, false );
xmlHttp.send( null );
var result = xmlHttp.responseText;
result = JSON.parse(result);
//Get the login URL
var encodedIssuer = encodeURIComponent(issuer_url);
var encodedDestination = encodeURIComponent(console_url);
var loginURL = signin_url+"?Action=login&Destination="+encodedDestination+"&SigninToken="+result.SigninToken;
console.log(loginURL)
//Open the URl
window.open(loginURL);
}
});
I've verified the access and secret and account ID i am using are valid and corespond to the IAM User i want to use.
I've tried using both the console_url above and the one shown in my AWS Account management section, the URL above produces the error detailed below, the IAM Console login from my AWS Account management section returns a 404.
issuer_url and console_url are properly formatted https URLs. They are URI encoded, as described in the instructions, and my resulting URL looks structurally the same as the example in the site linked above.
The new window opens when i invoke the window.open() call but i always get this response page:
Amazon Web Services Sign In
Some of your credentials are missing. Please contact your administrator.
I'm at a loss for what steps i may have missed or pre-requisites i may have overlooked, any suggestions would be greatly appreciated.
The "sessionID" parameter should have been "sessionId". This misnamed variable still passes for getting a token but then the token is malformed.