Demo

We provide a limited-functionality demo of ConsoleMe at https://demo.consolemeoss.com.

After signing in through Google OAuth, you'll be operating as an administrator, but you'll be unable to write any changes. For example, you'll be unable to mutate permissions, submit policy requests, or modify the dynamic configuration.

You can receive credentials for a few roles after logging in. Note that these roles do not have any permissions.

You can also use these copies of Weep (Win, Linux, Mac) to request and serve credentials locally from the demo site.

The versions of Weep provided above have an embedded configuration pointing to https://demo.consolemeoss.com.

ConsoleMe users can compile Weep with a custom embedded configuration for their environment by following the guidance in Weep's readme.

Exercises

Authenticate to https://demo.consolemeoss.com, and try the exercises below:

Use ConsoleMe to log into the AWS Console

Visit https://demo.consolemeoss.com
Click "Sign-In" next to ConsoleMeUserRoleA
Visit https://demo.consolemeoss.com and click "ConsoleMeUserRoleA" in the Recent Roles view on the top left of the page
Visit https://demo.consolemeoss.com/role/usera to log in to ConsoleMeUserRoleA directly. This works because you only have one eligible role matching the substring usera
Visit https://demo.consolemeoss.com/role/usera?r=eu-west-1. You will be logged in to the eu-west-1 region
Visit https://demo.consolemeoss.com/role/usera?redirect=https://console.aws.amazon.com/dynamodb/home?region=us-east-1 to be taken directly to the DynamoDB console in us-east-1. Try this for other services.

Use ConsoleMe's Policy View to be redirected to a specific resource in the AWS Console

Click "Roles and Policies" followed by "Policies" in ConsoleMe's header

Add a filter to the "Tech" field for "ec2"

Click on one of the resource links.
You should be redirected to a page with an error stating that you're eligible for more than one role on the account and presenting you with a list of roles to select on the resource. Click Sign-In for one of these roles
Voila! You've been taken to the resource or as close to it as we can get. You won't see much in the AWS console due to the limited permissions provided by the role.

Walk through ConsoleMe's Self-Service IAM flow

Click "Roles and Policies" followed by "Self Service Permissions" in ConsoleMe's header

Type the name of a role to request permission changes for. For example, if you started typing consolemeusera, you'd observe typeahead hints for all roles matching your query
Select a role by clicking on the role ARN in the dropdown

Information about the role should appear in the right pane. Observe this information, and then click Next to proceed to Step 2
Add multiple sets of permissions here. Most fields should support typeahead.

The "Other" option in the permissions selection dropdown will allow you to request permissions for different AWS services that we don't have default permission templates for.

Once you're satisfied with your selections, click Next
Now you're at Step 3 of the wizard. Click on the JSON Editor to review the policy that ConsoleMe has generated for your request. Unfortunately, you won't see any auto-generated cross-account resource policies until the Policy Review page.
The next step is to submit your policy for review. As an administrator, you could submit and apply the policy to your resources without approval. In this restricted demo, neither of these buttons will work due to the limited permissions on the role that ConsoleMe is using.

Walk through ConsoleMe's Role Cloning feature

Click "Roles and Policies" followed by "Create Role" in ConsoleMe's header

Click the "Clone Role" radio button
Type "usera" under the source role option. ConsoleMe will provide a typeahead based on the existing roles it knows about.
Under "Account ID", start typing in the name or ID of an account ConsoleMe knows about
Under "Role name", type in the name of the new role you'd like to create
Submit and rejoice as it spectacularly fails because ConsoleMe is operating in read-only mode. Imagine the feeling you would have gotten if that operation succeeded.

Use ConsoleMe's policy editor on a role and resource

Click "Roles and Policies" followed by "Policies" in ConsoleMe's header
Under the "Tech" field, filter for "iam".
Select an IAM role. Observe its inline policies (If the role you selected has any), assume role trust policy, managed policies, tags, and issues.
On the inline policies page, try creating a new inline policy. Select different templates from the dropdown menu.

ConsoleMe's inline policy templates can be customized to fit the needs of your users.

Download Weep. List your eligible roles, and use Weep to serve credentials locally

Download Weep for your platform with an embedded configuration pointing to https://demo.consolemeoss.com : Win, Linux, Mac
Use Weep to list your eligible roles. You'll be required to authenticate to ConsoleMe the first time you do this.

weep list

Write credentials to the ~/.aws/credentials file. Note: This will overwrite your default profile credentials if you have that set.

weep file -p default ConsoleMeAppA
# Confirm credentials were written to in ~/.aws/credentials
aws sts get-caller-identity

Run Weep in ECS Credential Provider mode, and in another shell, retrieve credentials.

Shell 1:

weep ecs_credential_provider

Shell 2:

AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consolemeappa \
aws sts get-caller-identity

Export credentials as environment variables to your current shell

eval $(weep export ConsoleMeAppA)

Generate a credential process configuration (Caution: This will mutate your ~/.aws/config file if you've customized it)

weep generate_credential_process_config
# Observe changes to your ~/.aws/config file
cat ~/.aws/config
# Test credential usage with a profile name
AWS_PROFILE=arn:aws:iam::844240725092:role/ConsoleMeAppA aws sts get-caller-identity
# Revert your ~/.aws/config file to its previous state

PreviousRole Creation and Cloning NextQuick Start

Last updated 3 years ago

Was this helpful?