Demo
Last updated
Was this helpful?
Last updated
Was this helpful?
We provide a limited-functionality demo of ConsoleMe at .
After signing in through Google OAuth, you'll be operating as an administrator, but you'll be unable to write any changes. For example, you'll be unable to mutate permissions, submit policy requests, or modify the dynamic configuration.
You can receive credentials for a few roles after logging in. Note that these roles do not have any permissions.
You can also use these copies of Weep (, , ) to request and serve credentials locally from the demo site.
Authenticate to , and try the exercises below:
Visit
Click "Sign-In" next to ConsoleMeUserRoleA
Visit and click "ConsoleMeUserRoleA" in the Recent Roles view on the top left of the page
Visit to log in to ConsoleMeUserRoleA directly. This works because you only have one eligible role matching the substring usera
Visit . You will be logged in to the eu-west-1 region
Visit to be taken directly to the DynamoDB console in us-east-1. Try this for other services.
Click "Roles and Policies" followed by "Policies" in ConsoleMe's header
Add a filter to the "Tech" field for "ec2"
Click on one of the resource links.
You should be redirected to a page with an error stating that you're eligible for more than one role on the account and presenting you with a list of roles to select on the resource. Click Sign-In for one of these roles
Voila! You've been taken to the resource or as close to it as we can get. You won't see much in the AWS console due to the limited permissions provided by the role.
Click "Roles and Policies" followed by "Self Service Permissions" in ConsoleMe's header
Type the name of a role to request permission changes for. For example, if you started typing consolemeusera
, you'd observe typeahead hints for all roles matching your query
Select a role by clicking on the role ARN in the dropdown
Information about the role should appear in the right pane. Observe this information, and then click Next to proceed to Step 2
Add multiple sets of permissions here. Most fields should support typeahead.
Once you're satisfied with your selections, click Next
Now you're at Step 3 of the wizard. Click on the JSON Editor to review the policy that ConsoleMe has generated for your request. Unfortunately, you won't see any auto-generated cross-account resource policies until the Policy Review page.
The next step is to submit your policy for review. As an administrator, you could submit and apply the policy to your resources without approval. In this restricted demo, neither of these buttons will work due to the limited permissions on the role that ConsoleMe is using.
Click "Roles and Policies" followed by "Create Role" in ConsoleMe's header
Click the "Clone Role" radio button
Type "usera" under the source role option. ConsoleMe will provide a typeahead based on the existing roles it knows about.
Under "Account ID", start typing in the name or ID of an account ConsoleMe knows about
Under "Role name", type in the name of the new role you'd like to create
Submit and rejoice as it spectacularly fails because ConsoleMe is operating in read-only mode. Imagine the feeling you would have gotten if that operation succeeded.
Click "Roles and Policies" followed by "Policies" in ConsoleMe's header
Under the "Tech" field, filter for "iam".
Select an IAM role. Observe its inline policies (If the role you selected has any), assume role trust policy, managed policies, tags, and issues.
On the inline policies page, try creating a new inline policy. Select different templates from the dropdown menu.
Use Weep to list your eligible roles. You'll be required to authenticate to ConsoleMe the first time you do this.
Write credentials to the ~/.aws/credentials file. Note: This will overwrite your default profile credentials if you have that set.
Run Weep in ECS Credential Provider mode, and in another shell, retrieve credentials.
Shell 1:
Shell 2:
Export credentials as environment variables to your current shell
Generate a credential process configuration (Caution: This will mutate your ~/.aws/config file if you've customized it)
Download Weep for your platform with an embedded configuration pointing to : , ,