We provide a limited-functionality demo of ConsoleMe at

After signing in through Google OAuth, you'll be operating as an administrator, but you'll be unable to write any changes. For example, you'll be unable to mutate permissions, submit policy requests, or modify the dynamic configuration.

You can receive credentials for a few roles after logging in. Note that these roles do not have any permissions.

You can also use these copies of Weep (Win, Linux, Mac) to request and serve credentials locally from the demo site.

The versions of Weep provided above have an embedded configuration pointing to

ConsoleMe users can compile Weep with a custom embedded configuration for their environment by following the guidance in Weep's readme.


Authenticate to, and try the exercises below:

Use ConsoleMe to log into the AWS Console

  1. Click "Sign-In" next to ConsoleMeUserRoleA

  2. Visit and click "ConsoleMeUserRoleA" in the Recent Roles view on the top left of the page

  3. Visit to log in to ConsoleMeUserRoleA directly. This works because you only have one eligible role matching the substring usera

  4. Visit You will be logged in to the eu-west-1 region

  5. Visit to be taken directly to the DynamoDB console in us-east-1. Try this for other services.

Use ConsoleMe's Policy View to be redirected to a specific resource in the AWS Console

  1. Click "Roles and Policies" followed by "Policies" in ConsoleMe's header

  1. Add a filter to the "Tech" field for "ec2"

  1. Click on one of the resource links.

  2. You should be redirected to a page with an error stating that you're eligible for more than one role on the account and presenting you with a list of roles to select on the resource. Click Sign-In for one of these roles

  3. Voila! You've been taken to the resource or as close to it as we can get. You won't see much in the AWS console due to the limited permissions provided by the role.

Walk through ConsoleMe's Self-Service IAM flow

  1. Click "Roles and Policies" followed by "Self Service Permissions" in ConsoleMe's header

  1. Type the name of a role to request permission changes for. For example, if you started typing consolemeusera, you'd observe typeahead hints for all roles matching your query

  2. Select a role by clicking on the role ARN in the dropdown

  1. Information about the role should appear in the right pane. Observe this information, and then click Next to proceed to Step 2

  2. Add multiple sets of permissions here. Most fields should support typeahead.

The "Other" option in the permissions selection dropdown will allow you to request permissions for different AWS services that we don't have default permission templates for.

  1. Once you're satisfied with your selections, click Next

  2. Now you're at Step 3 of the wizard. Click on the JSON Editor to review the policy that ConsoleMe has generated for your request. Unfortunately, you won't see any auto-generated cross-account resource policies until the Policy Review page.

  3. The next step is to submit your policy for review. As an administrator, you could submit and apply the policy to your resources without approval. In this restricted demo, neither of these buttons will work due to the limited permissions on the role that ConsoleMe is using.

Walk through ConsoleMe's Role Cloning feature

  1. Click "Roles and Policies" followed by "Create Role" in ConsoleMe's header

  1. Click the "Clone Role" radio button

  2. Type "usera" under the source role option. ConsoleMe will provide a typeahead based on the existing roles it knows about.

  3. Under "Account ID", start typing in the name or ID of an account ConsoleMe knows about

  4. Under "Role name", type in the name of the new role you'd like to create

  5. Submit and rejoice as it spectacularly fails because ConsoleMe is operating in read-only mode. Imagine the feeling you would have gotten if that operation succeeded.

Use ConsoleMe's policy editor on a role and resource

  1. Click "Roles and Policies" followed by "Policies" in ConsoleMe's header

  2. Under the "Tech" field, filter for "iam".

  3. Select an IAM role. Observe its inline policies (If the role you selected has any), assume role trust policy, managed policies, tags, and issues.

  4. On the inline policies page, try creating a new inline policy. Select different templates from the dropdown menu.

ConsoleMe's inline policy templates can be customized to fit the needs of your users.

Download Weep. List your eligible roles, and use Weep to serve credentials locally

  1. Download Weep for your platform with an embedded configuration pointing to : Win, Linux, Mac

  2. Use Weep to list your eligible roles. You'll be required to authenticate to ConsoleMe the first time you do this.

weep list

Write credentials to the ~/.aws/credentials file. Note: This will overwrite your default profile credentials if you have that set.

weep file -p default ConsoleMeAppA
# Confirm credentials were written to in ~/.aws/credentials
aws sts get-caller-identity

Run Weep in ECS Credential Provider mode, and in another shell, retrieve credentials.

Shell 1:

weep ecs_credential_provider

Shell 2:

AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consolemeappa \
aws sts get-caller-identity

Export credentials as environment variables to your current shell

eval $(weep export ConsoleMeAppA)

Generate a credential process configuration (Caution: This will mutate your ~/.aws/config file if you've customized it)

weep generate_credential_process_config
# Observe changes to your ~/.aws/config file
cat ~/.aws/config
# Test credential usage with a profile name
AWS_PROFILE=arn:aws:iam::844240725092:role/ConsoleMeAppA aws sts get-caller-identity
# Revert your ~/.aws/config file to its previous state

Last updated