AWS Documentation » AWS Identity and Access Management » Using Temporary Security Credentials » Giving Federated Users Direct Access to the AWS Management Console	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Giving Federated Users Direct Access to the AWS Management Console

Topics

You can give your federated users single sign-on access to the AWS Management Console through your identity and authorization system, without requiring users to sign into Amazon Web Services (AWS). To give your federated users single sign-on access, you create a URL that gives them secure and direct access to the AWS Management Console.

To create the URL you need to complete the following tasks:

Verify that the user is authenticated.
Create temporary security credentials for the user.
Construct the URL that passes the temporary security credentials to the AWS Management Console.
Distribute the URL to the user.

The URL is valid for 15 minutes from the time it is created. The temporary security credentials associated with the URL are valid for the duration you specified when you created them, starting from the time they were created.

Important

Keep in mind that the URL grants access to your AWS resources through the AWS Management Console, to the extent that you have enabled permissions in the associated temporary security credentials. For this reason, you should treat the URL as a secret. We recommend returning the URL through a secure redirect, for example, by using a 302 HTTP response status code over an SSL connection. For more information about the 302 HTTP response status code, go to RFC 2616, section 10.3.3.

To complete these tasks you can use the HTTPS Query APIs for AWS Identity and Access Management (IAM) and the AWS Security Token Service (STS). Or, you can use the Java or Ruby programming languages. Each of these methods is described in the following sections.

Constructing the URL for the AWS Management Console (Query APIs)

This topic describes how to construct a URL that gives your federated users direct access to the AWS Management Console. This task uses the AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) HTTPS Query APIs. For more information about making Query requests, go to Making Query Requests in Using IAM.

Note

The following procedure contains examples of text strings. To enhance readability, line breaks have been added to some of the longer examples. When you create these strings for your own use, you should omit any line breaks.

To give a federated user access to your resources from the AWS Management Console

Authenticate the user in your identity and authorization system.
Create temporary security credentials for the user. The credentials consist of an Access Key ID, a Secret Access Key, and a security token. For more information about creating temporary credentials, see Creating Temporary Security Credentials.
Important
When you create temporary security credentials you must specify the permissions the credentials will grant to the user who holds them. For more information about controlling permissions in temporary security credentials, see Controlling Permissions in Temporary Security Credentials.
After you obtain the temporary security credentials, you format them as a JSON string so that you can exchange them for a sign-in token. The following example shows how to encode the temporary security credentials. You replace the red text with the appropriate values from the temporary security credentials that you create.
```
{"sessionId":"*** AWS Access Key ID ***",
"sessionKey":"*** AWS Secret Access Key ***",
"sessionToken":"*** AWS security token ***"}
```

Next, make a request to the AWS federation endpoint (https://signin.aws.amazon.com/federation) with the Action and Session parameters, shown in the following example.

Action = getSigninToken
Session = *** the JSON string described in Step 3, form-urlencoded ***

The following string is an example of what your request might look like.

https://signin.aws.amazon.com/federation?
Action=getSigninToken
&Session=%7B%22sessionId%22%3A%22ASIAEXAMPLEMDLUUAEYQ%22%2C%22sessionKey%22
%3A%22tpSl9thxr2PkEXAMPLETAnVLVGdwC5zXtGDr%2FqWi%22%2C%22sessionToken%22%3A
%22AQoDYXdzEXAMPLE4BrM96BJ7btBQRrAcCjQIbg55555555OBT7y8h2YJ7woJkRzsLpJBpklC
qPXxS2AjRorJAm%2BsBtv1YXlZF%2FfHljgORxOevE388GdGaKRfO9W4DxK4HU0fIpwL%2BQ7oX
2Fj%2BJa%2FAb5u0cL%2BzI1P5rJuDzH%2F0pWEiYfiWXXH20rWruXVXpIIO%2FPhMHlV3Jw%2B
gDc4ZJ0WItuLPsuyP7BVUXWLcAVyTFbxyLy36FBSXF1z8a%2FvJN7utcj0mJRGIiIZSV7FQuepa
WP5YARYMrOUMqBB3v308LKBU8Z0xYe2%2FqthrLXf1nX0njbU%2FJTrct%2BEdG9PRb3907qa5n
VbnnnxdVQJ3mPgQchAZpDI9LsDDbGsa67JHUyFYnyUUUkMRfe7G70gjvbz9gQ%EXAMPLE

The response is a JSON document with an SigninToken value. It will look similar to the following example.

{"SigninToken":"*** the SigninToken string ***"}

Finally, you create the URL that your federated users will use to access the AWS Management Console. The URL is the federation URL endpoint (https://signin.aws.amazon.com/federation), plus the following parameters.

Action = login
Issuer = *** the form-urlencoded URL for your internal sign-in page ***
Destination = *** the desired AWS Management Console URL, also 
 form-urlencoded ***
SigninToken = *** the value of SigninToken from the JSON document returned
 in Step 4 ***

The following example shows what the final URL might look like. The URL is valid for 15 minutes from the time it is created. The temporary security credentials associated with the URL are valid for the duration you specified when you created them.

https://signin.aws.amazon.com/federation?
Action=login
&Issuer=https%3A%2F%2Fexample.com
&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fs
&SigninToken=VCQgs5qZZt3Q6fn8Tr5EXAMPLEmLnwB7JjUc-SHwnUUWabcRdnWsi4DBn-dvC
CZ85wrD0nmldUcZEXAMPLE-vXYH4Q__mleuF_W2BE5HYexbe9y4Of-kje53SsjNNecATfjIzpW1
WibbnH6YcYRiBoffZBGExbEXAMPLE5aiKX4THWjQKC6gg6alHu6JFrnOJoK3dtP6I9a6hi6yPgm
iOkPZMmNGmhsvVxetKzr8mx3pxhHbMEXAMPLETv1pij0rok3IyCR2YVcIjqwfWv32HU2Xlj471u
3fU6uOfUComeKiqTGX974xzJOZbdmX_t_lLrhEXAMPLEDDIisSnyHGw2xaZZqudm4mo2uTDk9Pv
9l5K0ZCqIgEXAMPLEcA6tgLPykEWGUyH6BdSC6166n4M4JkXIQgac7_7821YqixsNxZ6rsrpzwf
nQoS14O7R0eJCCJ684EXAMPLEZRdBNnuLbUYpz2Iw3vIN0tQgOujwnwydPscM9F7foaEK3jwMkg
Apeb1-6L_OB12MZhuFxx55555EXAMPLEhyETEd4ZulKPdXHkgl6T9ZkIlHz2Uy1RUTUhhUxNtSQ
nWc5xkbBoEcXqpoSIeK7yhje9Vzhd61AEXAMPLElbWeouACEMG6-Vd3dAgFYd6i5FYoyFrZLWvm
0LSG7RyYKeYN5VIzUk3YWQpyjP0RiT5KUrsUi-NEXAMPLExMOMdoODBEgKQsk-iu2ozh6r8bxwC
RNhujg

Constructing the URL for the AWS Management Console (Java)

This topic describes how to programmatically construct a URL that gives your federated users direct access to the AWS Management Console. The following code snippet uses the AWS SDK for Java. You replace the red text with the appropriate values for your use case.

import java.net.URLEncoder;
import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
// Available at http://www.json.org/java/index.html
import org.json.JSONObject;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest;
import com.amazonaws.services.securitytoken.model.GetFederationTokenResult;

AWSCredentials credentials = new BasicAWSCredentials(
  "*** Access Key ID ***",
  "*** Secret Key ***");
AWSSecurityTokenServiceClient stsClient = 
  new AWSSecurityTokenServiceClient(credentials);

GetFederationTokenRequest getFederationTokenRequest = 
  new GetFederationTokenRequest();
getFederationTokenRequest.setDurationSeconds(3600);
getFederationTokenRequest.setName("UserName");

// A sample policy for accessing Amazon SNS in the console.
String policy = "{\"Statement\":[{\"Action\":\"sns:*\"," +
  "\"Effect\":\"Allow\",\"Resource\":\"*\"}]}";

getFederationTokenRequest.setPolicy(policy);

GetFederationTokenResult federationTokenResult = 
  stsClient.getFederationToken(getFederationTokenRequest);

Credentials federatedCredentials = federationTokenResult.getCredentials();

// The issuer parameter specifies your internal sign-in
// page, for example https://mysignin.internal.mycompany.com/.
// The console parameter specifies the URL to the destination console of the
// AWS Management Console. This example goes to the Amazon SNS console.
// The signin parameter is the URL to send the request to.
String issuerURL = "https://mysignin.internal.mycompany.com/";
String consoleURL = "https://console.aws.amazon.com/sns";
String signInURL = "https://signin.aws.amazon.com/federation";
  
// Create the sign-in token using temporary credentials,
// including the Access Key ID,  Secret Access Key, and security token.
String sessionJson = String.format(
  "{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}",
  "sessionId", federatedCredentials.getAccessKeyId(),
  "sessionKey", federatedCredentials.getSecretAccessKey(),
  "sessionToken", federatedCredentials.getSessionToken());
              
String getSigninTokenURL = signInURL + "?Action=getSigninToken" +
  "&SessionType=json&Session=" + URLEncoder.encode(sessionJson,
  "UTF-8");
URL url = new URL(getSigninTokenURL);
URLConnection conn = url.openConnection ();
BufferedReader bufferReader = new BufferedReader(new 
  InputStreamReader(conn.getInputStream()));  
String returnContent = bufferReader.readLine();
String signinToken = new JSONObject(returnContent).getString("SigninToken");

String signinTokenParameter = "&SigninToken=" + 
  URLEncoder.encode(signinToken,"UTF-8");

// The issuer parameter is optional, but recommended. Use it to direct users
// to your sign-in page when their session expires.
String issuerParameter = "&Issuer=" + URLEncoder.encode(issuerURL, "UTF-8");
String destinationParameter = "&Destination=" + 
  URLEncoder.encode(consoleURL,"UTF-8");
String loginURL = signInURL + "?Action=login" + signinTokenParameter + 
  issuerParameter + destinationParameter;

Constructing the URL for the AWS Management Console (Ruby)

This topic describes how to programmatically construct a URL that gives your federated users direct access to the AWS Management Console. This code snippet uses the AWS SDK for Ruby.

require 'rubygems'
require 'json'
require 'open-uri'
require 'cgi'
require 'aws-sdk'

# Normally, the temporary credentials will come from your identity
# broker, but for this example we create them here
sts = AWS::STS.new(:access_key_id => "*** Your AWS Access Key ID ***",
  :secret_access_key => "*** Your AWS Secret Access Key ***")

# A sample policy for accessing Amazon SNS in the console.
policy = AWS::STS::Policy.new
policy.allow(:actions => "sns:*",:resources => :any)

session = sts.new_federated_session(
  "UserName",
  :policy => policy,
  :duration => 3600)

# The issuer parameter specifies your internal sign-in
# page, for example https://mysignin.internal.mycompany.com/.
# The console parameter specifies the URL to the destination console of the
# AWS Management Console. This example goes to the Amazon SNS console.
# The signin parameter is the URL to send the request to.
issuer_url = "https://mysignin.internal.mycompany.com/"
console_url = "https://console.aws.amazon.com/sns"
signin_url = "https://signin.aws.amazon.com/federation"

# Create the sign-in token using temporary credentials,
# including the Access Key ID, Secret Access Key, and security token.
session_json = {
  :sessionId => session.credentials[:access_key_id],
  :sessionKey => session.credentials[:secret_access_key],
  :sessionToken => session.credentials[:session_token]
}.to_json

get_signin_token_url = signin_url + "?Action=getSigninToken" + 
  "&SessionType=json&Session=" + CGI.escape(session_json)
returned_content = URI.parse(get_signin_token_url).read
signin_token = JSON.parse(returned_content)['SigninToken']
signin_token_param = "&SigninToken=" + CGI.escape(signin_token)

# The issuer parameter is optional, but recommended. Use it to direct users
# to your sign-in page when their session expires.
issuer_param = "&Issuer=" + CGI.escape(issuer_url)
destination_param = "&Destination=" + CGI.escape(console_url)

login_url = signin_url + "?Action=login" + signin_token_param + 
  issuer_param + destination_param

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...