Issuing Temporary Credentials to sign into AWS Management Console using AssumeRole, existing Policies, and unique URL

Question

I want to issue temporary credentials to existing users, to allow them access to the AWS Management Console, by providing them a URL created with these temporary credentials.

I am following along with a written example given through AWS Documentation: Example Code Using IAM Query APIs

I have written the following code, which does NOT give any errors when executing, and DOES seem to return a session token, which should allow me to then properly form a URL to sign in.

Here is the code to return session token and subsequently URL:

$accessKeyId = 'accesskeyId' 
$secretAccessKey = 'secretaccessKey'
$region = 'us-east-1'

Set-AWSCredentials -AccessKey $accessKeyId -SecretKey $secretAccessKey

$role = Use-STSRole -RoleSessionName "testSTS" -RoleArn "arn:aws:iam::1234567890:role/adminAccess" -DurationInSeconds 900

$jsonSession = @"
{
    "sessionId": $([string]::Format("{0}", $role.Credentials.AccessKeyId)),
    "sessionKey": $([string]::Format("{0}", $role.Credentials.SecretAccessKey)),
    "sessionToken": $([string]::Format("{0}", $role.Credentials.SessionToken))
}
"@

Add-Type -AssemblyName System.Web
$Encode = [System.Web.HttpUtility]::UrlEncode($jsonSession)

$url = $([string]::Format("https://signin.aws.amazon.com/federation?Action=getSigninToken&Session={0}", $Encode))

$payload = Invoke-WebRequest -Uri $url | ConvertFrom-Json

$issuer = [System.Web.HttpUtility]::UrlEncode("https://1234567890.signin.aws.amazon.com")
$destination = [System.Web.HttpUtility]::UrlEncode("https://console.aws.amazon.com")
$signintoken = [System.Web.HttpUtility]::UrlEncode($payload.SigninToken)

$signInUrl = $([string]::Format("https://signin.aws.amazon.com/federation?Action=login&Issuer={0}&Destination={1}&SigninToken={2}", $issuer, $destination, $signintoken))

write-host $signInUrl

Unfortunately when I visit the url in web browser I get the following error "Amazon Web Services Sign In : The credentials in your login link were invalid. Please contact your administrator."

This is what the url returned to me looks like, obviously I have changed the accountid and real session token for security reasons:

https://signin.aws.amazon.com/federation?Action=login&Issuer=https%3a%2f%2f1234567890.signin.aws.amazon.com&Destination=https%3a%2f%2fconsole.aws.amazon.com&SigninToken=ygQQrk4MYJyX1k30Obmj8p3Clax5OaUzQbjIBQH-ADCYP5QHNj2rsBz4ATlHrHqIJlzoAqyPrd_5OC4fo-BNHGKJkfasfkjz4C4hZnfYH-VmmcHIY8Fan0m38SnxwCome8DZHLe-_8igsGmCWKKTAVen_lp5wA0mUuGIgg9TqPIlb5SNPOVY00oc3dEGZnahcBlOJAmN7DWuv3P61EVipF5w2eoSGIdCyPkhZ2vvFD8orN_UJ4nLogkTAf5rvme1cavj6sqmRUS8iOTyEj8a5mLrmWww__p_J3z4aN4U_qEr3SIi9tCmQMCPB6ktaN_-dMIvJMrx23C11KjCyqixHnFxn60MOBH22bmY-6OFOucA

Additionally The credentials and sessiontoken passed to me seem to work when using them to issue an API command like shown in the code below:

$accessKeyId = 'accesskeyId' 
$secretAccessKey = 'secretAccessKey'
$region = 'us-east-1'

Set-AWSCredentials -AccessKey $accessKeyId -SecretKey $secretAccessKey

$role = Use-STSRole -RoleSessionName "testSTS" -RoleArn "arn:aws:iam::1234567890:role/adminAccess" -DurationInSeconds 900

$newAccessKeyId = $role.Credentials.AccessKeyId
$newSecretKey = $role.Credentials.SecretAccessKey
$newSessionToken =  $role.Credentials.SessionToken

Set-AWSCredentials -AccessKey $newAccessKeyId -SecretKey $newSecretKey -SessionToken $newSessionToken 

$secgroups = Get-EC2SecurityGroup

Updated: I tried removing the "issuer" parameter as article suggested below listed it as optional. I also tried adding "SessionType" to the original url for requesting sessiontoken, and the signin url still fails with same error.

Answer 1

I found the answer, and unfortunately it didn't turn out to be anything to exciting!

It seems the offending code was in the portion that creates the JSON session string that you use to exchange for a Sign-in Token.

I was missing surrounding double quotation marks "" for the key value pair.

Here is the updated portion of that code for anyone else trying to get this to work!

$jsonSession = @"
{"sessionId": $([string]::Format('"{0}"', $role.Credentials.AccessKeyId)),
"sessionKey": $([string]::Format('"{0}"', $role.Credentials.SecretAccessKey)),
"sessionToken": $([string]::Format('"{0}"', $role.Credentials.SessionToken))}
"@