Demo
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
We provide a limited-functionality demo of ConsoleMe at https://demo.consolemeoss.com.
After signing in through Google OAuth, you'll be operating as an administrator, but you'll be unable to write any changes. For example, you'll be unable to mutate permissions, submit policy requests, or modify the dynamic configuration.
You can receive credentials for a few roles after logging in. Note that these roles do not have any permissions.
You can also use these copies of Weep (Win, Linux, Mac) to request and serve credentials locally from the demo site.
Authenticate to https://demo.consolemeoss.com, and try the exercises below:
Click "Sign-In" next to ConsoleMeUserRoleA
Visit https://demo.consolemeoss.com and click "ConsoleMeUserRoleA" in the Recent Roles view on the top left of the page
Visit to log in to ConsoleMeUserRoleA directly. This works because you only have one eligible role matching the substring usera
Visit . You will be logged in to the eu-west-1 region
Visit to be taken directly to the DynamoDB console in us-east-1. Try this for other services.
Click "Roles and Policies" followed by "Policies" in ConsoleMe's header
Add a filter to the "Tech" field for "ec2"
Click on one of the resource links.
You should be redirected to a page with an error stating that you're eligible for more than one role on the account and presenting you with a list of roles to select on the resource. Click Sign-In for one of these roles
Voila! You've been taken to the resource or as close to it as we can get. You won't see much in the AWS console due to the limited permissions provided by the role.
Click "Roles and Policies" followed by "Self Service Permissions" in ConsoleMe's header
Type the name of a role to request permission changes for. For example, if you started typing consolemeusera
, you'd observe typeahead hints for all roles matching your query
Select a role by clicking on the role ARN in the dropdown
Information about the role should appear in the right pane. Observe this information, and then click Next to proceed to Step 2
Add multiple sets of permissions here. Most fields should support typeahead.
Once you're satisfied with your selections, click Next
Now you're at Step 3 of the wizard. Click on the JSON Editor to review the policy that ConsoleMe has generated for your request. Unfortunately, you won't see any auto-generated cross-account resource policies until the Policy Review page.
The next step is to submit your policy for review. As an administrator, you could submit and apply the policy to your resources without approval. In this restricted demo, neither of these buttons will work due to the limited permissions on the role that ConsoleMe is using.
Click "Roles and Policies" followed by "Create Role" in ConsoleMe's header
Click the "Clone Role" radio button
Type "usera" under the source role option. ConsoleMe will provide a typeahead based on the existing roles it knows about.
Under "Account ID", start typing in the name or ID of an account ConsoleMe knows about
Under "Role name", type in the name of the new role you'd like to create
Submit and rejoice as it spectacularly fails because ConsoleMe is operating in read-only mode. Imagine the feeling you would have gotten if that operation succeeded.
Click "Roles and Policies" followed by "Policies" in ConsoleMe's header
Under the "Tech" field, filter for "iam".
Select an IAM role. Observe its inline policies (If the role you selected has any), assume role trust policy, managed policies, tags, and issues.
On the inline policies page, try creating a new inline policy. Select different templates from the dropdown menu.
Download Weep for your platform with an embedded configuration pointing to https://demo.consolemeoss.com : Win, Linux, Mac
Use Weep to list your eligible roles. You'll be required to authenticate to ConsoleMe the first time you do this.
weep list
Write credentials to the ~/.aws/credentials file. Note: This will overwrite your default profile credentials if you have that set.
weep file -p default ConsoleMeAppA
# Confirm credentials were written to in ~/.aws/credentials
aws sts get-caller-identity
Run Weep in ECS Credential Provider mode, and in another shell, retrieve credentials.
Shell 1:
weep ecs_credential_provider
Shell 2:
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consolemeappa \
aws sts get-caller-identity
Export credentials as environment variables to your current shell
eval $(weep export ConsoleMeAppA)
Generate a credential process configuration (Caution: This will mutate your ~/.aws/config file if you've customized it)
weep generate_credential_process_config
# Observe changes to your ~/.aws/config file
cat ~/.aws/config
# Test credential usage with a profile name
AWS_PROFILE=arn:aws:iam::844240725092:role/ConsoleMeAppA aws sts get-caller-identity
# Revert your ~/.aws/config file to its previous state