bridgewater / holochrome Goto Github PK

Use your IAM role (from instance metadata) to open the AWS console

Home Page: https://chrome.google.com/webstore/detail/holochrome/fgnplojdffjfbcmoldcfdoikldnogjpa

License: MIT License

JavaScript 100.00%

aws aws-iam chrome chrome-extension security iam-role instance-metadata

holochrome's Introduction

Browser	Version	Downloads	Rating
Chrome
FireFox

Holochrome is a chrome extension that allows you to easily log in and switch between your AWS accounts using a single key stroke. It is built on top of the aws instance metadata service and therefore encourages security best practices by completely removing the need for static, long-lived credentials. The AWS console session is granted the exact same permissions as the IAM role available via the metadata service.

How do I get it?

Chrome: Chrome Web Store

Firefox: Mozilla Add-on Store

How do I use it?

Either click the icon or use the keyboard shortcut:

Mac: Cmd+Shift+1

Win: Ctrl+Shift+1

The keyboard shortcut is a 'global' listener which will bring Chrome into focus once pressed.

Chrome allows you to modify the keyboard shortcut on the chrome://extensions page. Check out this guide for more details.

How do I get the instance metadata service?

If you run a machine in AWS with an IAM role, it will exist by default and things should run smoothly.

If you want to leverage Holochrome on your local development machine, check out AdRoll's Hologram.

Developing

Follow the Chrome Development Guidelines for loading an unpacked extension. Target the inner holochrome/ folder.

To run tests:

cd test && npm install && npm test

TODO

Rotate session seamlessly without being logged out
Potentially support the default credential provider chain to allow the AWS console to more closely mimic other AWS services.

holochrome's People

Contributors

Stargazers

Watchers

Forkers

mlieberman85 joelthompson mahakoala adroll scriptsrc etsangsplk psimakov

holochrome's Issues

Similar extensions for other browsers

I'd imagine the majority of the logic can be reused between browsers. The only difference would be the browser specific event handling. Perhaps we can even factor our code to share the majority of that logic.

Extension seems to do nothing?

I installed the extension from the Chrome Web Store and now I'm getting these sporadic messages:

The instance metadata service could not be reached.

Pressing Cmd+Shift+1 seems to do nothing (Mac). How do I use this extension?

Is the AWS URL match pattern correct?

The current match pattern is https://console.aws.amazon.com/*

When I navigate to this URL, I get redirected to https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2#

Should the URL match pattern in manifest.json be updated to account for these subdomains (e.g. https://*.console.aws.amazon.com/*)?

Incognito support

Looks like it doesn't log into an AWS account when using incognito, sticks to the landing page.

Session Duration

Just announced, the session duration param goes up to twelve hours now. How do you feel about increasing it? https://blogs.aws.amazon.com/security/post/Tx3GL3IZE3FIGB6/Enable-Your-Federated-Users-to-Work-in-the-AWS-Management-Console-for-up-to-12-H

Rotate session seamlessly without being logged out

Originally from @walterking

To continue the discussion at AdRoll/hologram#67

https://github.com/gitlon/CASTER

Agree! I tried to do that, but basically failed. I grab a new session token every 20 minutes. Unfortunately, the AWS console doesn't react well to the "injection" of new credentials. It seems like whenever the session cookie changes at all, it logs you out. I've had inconsistent behavior with this approach - sometimes it logs me out completely and redirects, sometimes it gives me a "you've been logged out" popup, and sometimes it just keeps chugging along happily. Would love any/all help solidifying this!

its probably been a year since I looked into it, but trouble injecting credentials sounds familiar, most likely some js variable in addition to the cookie. But i gave up on getting it working and instead have a tampermonkey plugin that re-logs in(since our saml saves the session longer, just a series of redirects) after aws redirects us to the signin page.