▗▄▄▖▗▖ ▗▄▄▄▖▗▄▄▄▖▗▄▄▖
▐▌ ▐▌ █ ▐▌ ▐▌ ▐▌
▐▌ ▐▌ █ ▐▛▀▀▘▐▛▀▚▖
▝▚▄▄▖▐▙▄▄▖▗▄█▄▖▐▙▄▄▖▐▌ ▐▌
Console → CLI credentials. The reverse of consoler.
Pronounced: see-el-eye-er
The only tool that can extract AWS Console credentials. AWS intentionally stores these credentials in the JavaScript heap only—not in cookies, localStorage, or anywhere extractable. They're designed to be inaccessible and auto-expire when you close the tab. clier intercepts them at the network layer before they disappear into memory, making the impossible possible.
Perfect for:
- Pentesters - Extract credentials from compromised sessions for offline analysis
- Developers in locked-down environments - Get CLI access when you only have console access
- Airgapped VDI users - Scan the QR code with your phone to bypass clipboard restrictions and get credentials out
- Anyone stuck with SSO/federated console access - Finally use the AWS CLI without begging for access keys
Supports multiple AWS services - each service (S3, EC2, Lambda, etc.) has its own scoped credentials that can be captured and exported independently.
AWS Console credentials are stored in the JavaScript heap (RAM) only—not in localStorage, sessionStorage, or cookies. This is by design for security (XSS mitigation, auto-expiry on tab close).
This extension uses network interception (monkey-patching window.fetch and XMLHttpRequest) to capture credentials when the AWS Console fetches them from service-specific /{service}/tb/creds endpoints.
- When you load/refresh any AWS Console service, it makes a request to
https://{region}.console.aws.amazon.com/{service}/tb/creds- Examples:
/console/tb/creds,/s3/tb/creds,/ec2/tb/creds,/lambda/tb/creds
- Examples:
- The injected script clones the response before AWS consumes it
- Credentials are extracted from the JSON response along with the service name:
{ "accessKeyId": "ASIA...", "secretAccessKey": "...", "sessionToken": "...", "expiration": "2026-01-15T00:51:45.000Z" } - Credentials are emitted via
window.dispatchEvent()with service identifier - The isolated content script catches this and stores to
chrome.storage.localkeyed by service - The popup displays service tabs to switch between captured credentials
- 🔐 Automatic credential capture - Intercepts credentials from any AWS service endpoint
- 🗂️ Multi-service support - Capture and manage credentials for S3, EC2, Lambda, and any other AWS service separately
- 📋 One-click copy - Copy individual fields or formatted output
- 📄 Multiple export formats:
- Bash environment variables (
export AWS_...) - PowerShell environment variables (
$env:AWS_...) - AWS credentials file format (
~/.aws/credentials) - JSON format
- Bash environment variables (
- 📱 QR code export - Each service displays a scannable QR code for instant credential transfer to your phone—perfect for airgapped environments where clipboard is blocked
-
⏰ Expiry tracking - Shows when credentials will expire
-
🧹 Flexible clearing - Clear credentials for a single service or all at once
-
🎨 Dark theme UI - Clean interface matching AWS Console aesthetics
- Clone the repo
- Open your browser's extension page:
- Chrome:
chrome://extensions - Edge:
edge://extensions - Brave:
brave://extensions - Safari: Uh there is currently an issue with scrolling the ext in Safari so probably don't use it
- Chrome:
- Enable Developer mode (toggle in the top right)
- Click Load unpacked
- Select the
clierfolder - The extension icon (orange lock) should appear in your toolbar
Firefox requires modifications for Manifest V3. For Firefox:
- Change
manifest.json:- Use
"manifest_version": 2 - Replace
"service_worker": "background.js"with"scripts": ["background.js"] - Update
web_accessible_resourcesformat
- Use
- Go to
about:debugging#/runtime/this-firefox - Click Load Temporary Add-on
- Select
manifest.json
- Install the extension (see above)
- Log into AWS Console - Navigate to console.aws.amazon.com
- Credentials are captured automatically - When AWS Console loads or refreshes, it fetches credentials
- Navigate to different services - Visit S3, EC2, Lambda, etc. to capture service-specific credentials
- Click the extension icon - View captured credentials with service tabs
- Switch between services - Click service tabs to view credentials for each service
- Copy and use - Select an export format and copy to your terminal
- Refresh the AWS Console page (F5) - This triggers a fresh credential fetch
- Navigate to a different AWS service - Each service has its own credential endpoint
- Check that you're using federated/SSO login - Works best with IAM Identity Center
export AWS_ACCESS_KEY_ID="ASIAXXXXXXXXXXX"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxx"
export AWS_SESSION_TOKEN="xxxxxxxxxxxxxxxxxxxxxxx..."
export AWS_DEFAULT_REGION="us-east-1"$env:AWS_ACCESS_KEY_ID="ASIAXXXXXXXXXXX"
$env:AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxx"
$env:AWS_SESSION_TOKEN="xxxxxxxxxxxxxxxxxxxxxxx..."
$env:AWS_DEFAULT_REGION="us-east-1"[default]
aws_access_key_id = ASIAXXXXXXXXXXX
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxx
aws_session_token = xxxxxxxxxxxxxxxxxxxxxxx...
region = us-east-1{
"accessKeyId": "ASIAXXXXXXXXXXX",
"secretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxx",
"sessionToken": "xxxxxxxxxxxxxxxxxxxxxxx...",
"region": "us-east-1",
"expiration": "2024-01-15T12:00:00Z"
}The QR code contains a compact JSON with short keys to maximize capacity:
{
"a": "ASIAXXXXXXXXXXX",
"s": "xxxxxxxxxxxxxxxxxxxxxxx",
"t": "xxxxxxxxxxxxxxxxxxxxxxx...",
"r": "us-east-1",
"e": "2024-01-15T12:00:00Z"
}| Key | Field |
|---|---|
a |
accessKeyId |
s |
secretAccessKey |
t |
sessionToken |
r |
region |
e |
expiration |
To use scanned credentials:
# After scanning, parse the JSON and export:
export AWS_ACCESS_KEY_ID="<a value>"
export AWS_SECRET_ACCESS_KEY="<s value>"
export AWS_SESSION_TOKEN="<t value>"
export AWS_DEFAULT_REGION="<r value>"- These are temporary STS credentials that expire (typically 15 mins depending on your IdP configuration)
- Each service has separately scoped credentials with permissions limited to that service
- Never share or commit these credentials
- The extension only reads credentials from your local browser session
- No data is transmitted anywhere external—everything stays local
- Credentials are stored in
chrome.storage.localand cleared when you click "Clear Current", "Clear All", or uninstall the extension
- Refresh the AWS Console page (most common fix)
- Ensure you're logged in and on an actual AWS Console page
- Try navigating to a different AWS service - each service triggers its own credential fetch
- Navigate directly to that service in the AWS Console (e.g., S3, EC2, Lambda)
- Refresh the page while on that service
- The service tab will appear once credentials are captured
- The extension shows the last captured credentials per service
- Refresh the AWS Console page for that service to get fresh credentials
- Check that you're on
*.console.aws.amazon.com - Ensure Developer mode is enabled and the extension is loaded
- Check the browser console for errors (Right-click icon → Inspect popup)
clier/
├── manifest.json # Extension manifest
├── background.js # Service worker for message handling
├── content-isolated.js # Content script (isolated world)
├── injected.js # Fetch interceptor (main world)
├── popup.html # Popup UI
├── popup.js # Popup logic
├── qrcode.min.js # QR code generator library
├── icons/
│ ├── icon16.png
│ ├── icon48.png
│ └── icon128.png
└── README.md
storage: Store captured credentials locallyhost_permissionsfor*.console.aws.amazon.com: Inject content scripts on AWS Console pagesweb_accessible_resources: Allow the injected script to be loaded into the page context
MIT License - Feel free to modify and distribute.
This section describes how clier can be used during authorized AWS security assessments.
After gaining access to a target's workstation or browser session (via phishing simulation, physical access during an engagement, or compromised RDP/VDI session):
- Install clier on the target browser (or use a portable/pre-configured browser)
- Navigate to AWS Console - If the user has an active SSO session, you'll land authenticated
- Enumerate services - Visit each AWS service the target might have access to:
S3 → EC2 → Lambda → IAM → RDS → Secrets Manager → etc. - Capture scoped credentials - Each service visit captures that service's scoped STS credentials
- Export and exfiltrate - Copy credentials in your preferred format for offline analysis
When assessing what a compromised identity can actually do:
- Capture credentials from multiple services - Navigate through the console capturing each service's credentials
- Compare credential scopes - Each service may have different IAM permissions:
# Test S3 credentials export AWS_ACCESS_KEY_ID="<s3-creds>" aws s3 ls # Test EC2 credentials export AWS_ACCESS_KEY_ID="<ec2-creds>" aws ec2 describe-instances
- Identify permission boundaries - Some services may have broader access than others
- Test for privilege escalation - Use tools like Pacu or enumerate-iam with captured credentials
Console access and CLI access may have different effective permissions:
- Capture service credentials via clier
- Use CLI to access resources that may have different access controls:
# Access S3 buckets that might not be visible in console aws s3 ls s3://internal-bucket --recursive # Pull secrets that require CLI aws secretsmanager get-secret-value --secret-id prod/db/creds
- Pivot to other accounts - If the role has
sts:AssumeRolepermissions:aws sts assume-role --role-arn arn:aws:iam::TARGET:role/CrossAccountRole --role-session-name pivot
Many organizations restrict AWS access to locked-down VDI environments with no CLI, no local tools, and no way to install software. Console-only access is meant to be a security control. clier breaks that assumption:
- Install clier in the VDI browser - Most VDIs allow browser extensions, or use a portable browser
- Authenticate to AWS Console via your normal SSO/federated flow
- Navigate to the services you need - Capture credentials for S3, Lambda, Secrets Manager, etc.
- Exfiltrate credentials - Options depending on your restrictions:
- QR code scan - Point your phone at the QR code displayed in the popup (fastest method)
- Copy/paste - If clipboard works between VDI and local machine
- Type them out - Manual but works when clipboard is blocked
- Photo the QR - Screenshot/photo the QR code for later scanning
- Email to yourself - If webmail is accessible
- Use credentials on your local machine:
# Paste the captured bash export format export AWS_ACCESS_KEY_ID="ASIA..." export AWS_SECRET_ACCESS_KEY="..." export AWS_SESSION_TOKEN="..." # Now you have CLI access outside the VDI aws s3 cp s3://restricted-bucket/data.csv ./
Why this matters: Organizations assume console-only VDI access prevents data exfiltration via CLI. clier proves that assumption wrong—if a user can see it in the console, they can now script it externally.
- Capture early, use later - Credentials expire in ~15 mins, but capturing multiple services gives you a map of access
- Screenshot the popup - Document captured services for your report
- Check credential expiry - The extension shows time remaining; refresh the console page to get fresh credentials
- Clear traces - Use "Clear All" before returning the system; credentials are only stored in
chrome.storage.local
This tool is for authorized security testing and legitimate development purposes only. Always obtain proper authorization before testing. Follow your organization's security policies and rules of engagement. This is not an official AWS tool.