Using aws-vault with mulitple browser windows

14/05/2018
Posted in AWS Blog
14/05/2018 Ben Bridts

If you’re using AWS with a lot of accounts, you quickly notice that it’s not very user friendly to have to frequently switch between accounts in your browser. You will probably run into one or more of these limitations

  • You can only be logged into one account at the time (leading to using of multiple browsers and/or incognito windows).
  • The console only remembers the last 5 roles you used.
  • When using federated login, you need to sign out before you can switch between roles.

You can work around a few things by using bookmarks or a page with links, but that’s still not very user friendly

Using the CLI is a lot easier. You define your configuration in .aws/config and you can use it every time by adding the --profile flag.

In this blog post I will describe a way to use your cli config to log into different AWS accounts in parallel. Allowing you to use the names you already know from cli usage to access the console. This solution was inspired by this page of the aws-vault quick guide written by Fernando Miguel.

Prerequisites

This guide will assume:

  • You’re using OSX (it shouldn’t be very hard to convert the scripts to Windows or Linux though)
  • You’re using Google Chrome

1. Install and configure aws-vault

AWS Vault is a command line tool that does a few things. It allows you to store credentials in the keyring of your Operating System and it has a few commands to easily use these credentials (eg. by assuming a temporary session and exposing them as environment variables). We want to use it to use the aws cli configuration to log into the console.

The ReadMe has installation and usage instructions. By the end of it you should be able to run aws-vault exec my-profile aws sts get-caller-identity.

Having setup AWS Vault, it’s now possible to run aws-vault login my-profileto open the aws console for the configured account. This solves having to bookmark / type the right settings everytime we need to switch accounts, but the two other limitations are still valid.

2. Create a shell function to start Google Chrome profiles

Our next step will be to start a new Google Chrome browser window, with a new profile (so it’s independent from already running sessions). This can be done by adding --user-data-dirto the arguments. To make this easy, we will do this with a shell function.

If you’re using Bash

Add the following code to your ~/.bashrc and run source ~/.bashrc.

function awschrome {
    # set to yes to create one-time use profiles in /tmp
    # anything else will create them in $HOME/.aws/awschrome
    TEMP_PROFILE="yes"

    # set to yes to always start in a new window
    NEW_WINDOW="no"

    profile="$1"
    if [[ -z "$profile" ]]; then
        echo "Profile is a required argument" >&2
        return 1
    fi

    # replace non word and not - with __
    profile_dir_name=${profile//[^a-zA-Z0-9_-]/__}
    user_data_dir="${HOME}/.aws/awschrome/${profile_dir_name}"
    new_window_arg=''

    if [[ "$TEMP_PROFILE" = "yes" ]]; then
        user_data_dir=$(mktemp -d /tmp/awschrome_userdata.XXXXXXXX)
    fi

    if [[ "$NEW_WINDOW" = "yes" ]]; then
        new_window_arg='--new-window'
    fi

    # run aws-vault
    # --prompt osascript only works on OSX
    url=$(aws-vault login $profile --stdout --prompt osascript)
    status=$?

    if [[ ${status} -ne 0 ]]; then
        # bash will also capture stderr, so echo $url
        echo ${url}
        return ${status}
    fi

    mkdir -p ${user_data_dir}
    disk_cache_dir=$(mktemp -d /tmp/awschrome_cache.XXXXXXXX)
    /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
        --no-first-run \
        --user-data-dir=${user_data_dir} \
        --disk-cache-dir=${disk_cache_dir} \
        ${new_window_arg} \
        ${url} \
      >/dev/null 2>&1 &
}

If you’re using Fish

Add the following as ~/.config/fish/functions/awschrome.fish and restart your shell.

function awschrome -d "start a new chrome browser logged in to aws"
    # set to yes to create temporary profiles in /tmp
    # anything else will create them in $HOME/.aws/awschrome
    set -l TEMP_PROFILE "yes"

    # set to yes to always start in a new window
    set -l NEW_WINDOW "no"

    set -l profile "$argv[1]"
    if test -z "$profile"
        echo "Profile is a required argument" >&2
        return 1
    end

    # replace / and whitespace with __
    set -l profile_dir_name (string replace -ar '[\W/]' __ "$profile")
    set -l user_data_dir "$HOME/.aws/awschrome/$profile_dir_name"
    set -l set new_window_arg ''

    if test "$TEMP_PROFILE" = "yes"
        set user_data_dir (mktemp -d /tmp/awschrome_userdata.XXXXXXXX)
    end

    if test "$NEW_WINDOW" = "yes"
        set new_window_arg '--new-window'
    end

    # run aws-vault
    # --prompt osascript only works on OSX
    set -l url (aws-vault login $profile --stdout --prompt osascript)

    if test $status -ne 0
        # fish will also capture stderr, so echo $url
        echo $url >&2
        return $status
    end

    mkdir -p $user_data_dir
    set -l disk_cache_dir (mktemp -d /tmp/awschrome_cache.XXXXXXXX)
    /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
        --no-first-run \
        --user-data-dir=$user_data_dir \
        --disk-cache-dir=$disk_cache_dir \
        $new_window_arg \
        $url \
      >/dev/null 2>&1 &
end

3. Usage

You should now be able to run awschrome my-profileto start a new browser window/session . You can run this with as many profiles as you want, and each one will start a new (independent) browser.

 

  • SHARE

Leave a Reply

Your email address will not be published. Required fields are marked *

LET'S WORK
TOGETHER

Need a hand? Or a high five?
Feel free to visit our offices and come say hi
… or just drop us a message

We are ready when you are

Cloudar NV – Operations

Veldkant 7
2550 Kontich (Antwerp)
Belgium

info @ cloudar.be

+32 3 450 67 18

Cloudar NV – HQ

Veldkant 33A
2550 Kontich (Antwerp)
Belgium

VAT BE0564 763 890

    This contact form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    contact
    • SHARE