# Generate AWS Console Session

## Generating an AWS Console Session

* NetSPI developed a neat tool that will generate a web console sign-in URL with a valid set of long-term (e.g., IAM User access keys) or temporary (e.g., IAM Role) credentials and appropriate permissions
* This technique **does not provide any new permissions**, it just gives you access to the AWS console which can provide a better (and graphical) experience without trying to brute force your access via the CLI / API

***

### Installation 

* Code is also available on [GitHub](https://github.com/netspi/aws_consoler)

```bash
pip install aws-consoler
```

***

### Generate Web Console Sign-In URL

{% hint style="warning" %}
If using IAM User access keys, the user must have permissions to run `sts:GetFederationToken`
{% endhint %}

{% hint style="danger" %}
The user name will be **aws\_consoler** and will appear in logs so this is **not a stealthy approach**!

Consider writing your own custom script instead or do this manually [#generating-temporary-aws-credentials-from-iam-user](https://www.techwithtyler.dev/cloud-security/aws/aws-persistence#generating-temporary-aws-credentials-from-iam-user "mention")
{% endhint %}

{% code overflow="wrap" %}

```bash
aws_consoler --profile tyler  
       
2025-11-09 11:29:51,395 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.

https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3F&SigninToken=Lf4-EszViCQ9ha_CINm8HtvZjaxD4U[SNIP]
```

{% endcode %}