ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Weep CLI
  2. Commands

Serve

HTTP server used to retrieve credentials from Weep automatically

PreviousListNextExport

Last updated 3 years ago

Was this helpful?

Weep supports emulating the and the to provide credentials to your AWS SDK. This is the recommended way to use Weep for the best experience.

This solution can be minimally configured by setting the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable for your shell or process. There's no need for iptables or routing rules with this approach, and each different shell or process can use weep to request credentials for different roles. Weep will cache the credentials you request in-memory, and will refresh them on-demand when they are within 10 minutes of expiring.

Read about for information about precedence of credential sources.

In one shell, run weep:

weep serve

In your favorite IDE or shell, set the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable and run AWS commands. The environment variable's value is structured like this:

AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consoleme_oss_1
                                          ▔▔▔▔▔▔▔▔▔ ▔▔▔▔     ▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
                                          │         │        └─ Role name/search string
                                          │         └─ Weep port (probably 9091)
                                          └─ Weep hostname (probably localhost)
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consoleme_oss_1 aws sts get-caller-identity
{
   "UserId": "AROA4JEFLERSKVPFT4INI:user@example.com",
   "Account": "123456789012",
   "Arn": "arn:aws:sts::123456789012:assumed-role/consoleme_oss_1_test_user/user@example.com"
}

AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/consoleme_oss_2 aws sts get-caller-identity
{
   "UserId": "AROA6KW3MOV2F7J6AT4PC:user@example.com",
   "Account": "223456789012",
   "Arn": "arn:aws:sts::223456789012:assumed-role/consoleme_oss_2_test_user/user@example.com"
}

Configure this environment variable in your IDE for full effect.

IMDS Emulation

This is a more advanced feature. It's more involved to get set up, but it lets you avoid setting an environment variable to use Weep.

To serve the IMDS endpoints, use the serve command along with a role identifier or search string:

weep serve arn:aws:iam::012345678901:role/coolApp
INFO[0000] Starting weep meta-data service...
INFO[0000] Server started on: 127.0.0.1:9090

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/coolApp
{
  "Code": "Success",
  "LastUpdated": "2018-08-01T15:26:14Z",
  "Type": "AWS-HMAC",
  "AccessKeyId": "ASIA
...

AWS SDKs expect IMDS to be served at http://169.254.169.254. You will need to set up routing for this functionality to work. Instructions can be found in .

EC2 Instance Metadata Service (IMDS)
ECS credential provider
AWS configuration settings and precedence
Advanced Configuration