mozilla-aws-cli icon indicating copy to clipboard operation
mozilla-aws-cli copied to clipboard

Published 20 hours ago verified publisher icon mozilla-iam

Add support for use on remote machine

Open gene1wood opened this issue 5 years ago • 7 comments

Add support for a use case where

  • User ssh's into a host from their local computer
  • On that remote host they want to interact with AWS
  • Enable either conveying STS creds from the local computer to the remote one or enabling the remote computer to provide a URL that the user copy pastes into their browser and which somehow conveys credentials back to the remote computer
    • A possible path for this would be, instead of the CLI tool listening on localhost, it polls an public endpoint (e.g. public SNS) waiting for the web page to push those credentials to the public endpoint. The tool could generate a shared secret which is embedded in the URL so that the polling and the pushing of credentials was safe

Thanks to @djmitche for this use case

gene1wood avatar Oct 24 '19 19:10 gene1wood

This is slightly awkward with removing the infrastructure for the CLI-based role picker. Otherwise, it would be fairly easy to do so.

april avatar Oct 25 '19 17:10 april

We could just not support the role picker on remote machines if needed

gene1wood avatar Oct 25 '19 17:10 gene1wood

I think this would be pretty easy to do with -r.

You could give them a URL to open in their browser and then have them paste the (404) URL that they would get back to localhost. It's a bit clunky, but should work.

april avatar Oct 25 '19 19:10 april

Does PKCE have a way to handle this case?

djmitche avatar Oct 26 '19 13:10 djmitche

This is my exact use case. I have a dev system at home with my large screen on it. I always ssh from this system into my laptop to do work. Running eval $(maws) there causes an error box to appear on my dev system that says:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

sidler-mozilla avatar Mar 18 '20 22:03 sidler-mozilla

This is my exact use case. I have a dev system at home with my large screen on it. I always ssh from this system into my laptop to do work. Running eval $(maws) there causes an error box to appear on my dev system that says:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

I have the exact same workflow. I think your issue is probably just at step 1 here.

  1. Close/stop/kill all running instances of Firefox on the remote headless box
  2. SSH with X forwarding ssh -x
  3. Find your new x session with xauth list
  4. Run: DISPLAY=<your exported display> maws
  5. Follow SSO login in the browser, the console eventually will spit out a shell script to source, source that and you'll get all the AWS environment variables exported.

kfferrando avatar Mar 18 '20 22:03 kfferrando

This is true, but I also occasionally login on systems where Firefox is not -- and should not -- be installed. az and gcloud both support this situation :)

djmitche avatar Mar 19 '20 12:03 djmitche