If you’re using AWS with a lot of accounts, you quickly notice that it’s not very user friendly to have to frequently switch between accounts in your browser. You will probably run into one or more of these limitations
- You can only be logged into one account at the time (leading to using of multiple browsers and/or incognito windows).
- The console only remembers the last 5 roles you used.
- When using federated login, you need to sign out before you can switch between roles.
You can work around a few things by using bookmarks or a page with links, but that’s still not very user friendly
Using the CLI is a lot easier. You define your configuration in .aws/config
and you can use it every time by adding the --profile
flag.
In this blog post I will describe a way to use your cli config to log into different AWS accounts in parallel. Allowing you to use the names you already know from cli usage to access the console. This solution was inspired by this page of the aws-vault quick guide written by Fernando Miguel.
Prerequisites
This guide will assume:
- You’re using OSX (it shouldn’t be very hard to convert the scripts to Windows or Linux though)
- You’re using Google Chrome
1. Install and configure aws-vault
AWS Vault is a command line tool that does a few things. It allows you to store credentials in the keyring of your Operating System and it has a few commands to easily use these credentials (eg. by assuming a temporary session and exposing them as environment variables). We want to use it to use the aws cli configuration to log into the console.
The ReadMe has installation and usage instructions. By the end of it you should be able to run aws-vault exec my-profile aws sts get-caller-identity
.
Having setup AWS Vault, it’s now possible to run aws-vault login my-profile
to open the aws console for the configured account. This solves having to bookmark / type the right settings everytime we need to switch accounts, but the two other limitations are still valid.
2. Create a shell function to start Google Chrome profiles
Our next step will be to start a new Google Chrome browser window, with a new profile (so it’s independent from already running sessions). This can be done by adding --user-data-dir
to the arguments. To make this easy, we will do this with a shell function.
If you’re using Bash
Add the following code to your ~/.bashrc
and run source ~/.bashrc
.
function awschrome { # set to yes to create one-time use profiles in /tmp # anything else will create them in $HOME/.aws/awschrome TEMP_PROFILE="yes" # set to yes to always start in a new window NEW_WINDOW="no" profile="$1" if [[ -z "$profile" ]]; then echo "Profile is a required argument" >&2 return 1 fi # replace non word and not - with __ profile_dir_name=${profile//[^a-zA-Z0-9_-]/__} user_data_dir="${HOME}/.aws/awschrome/${profile_dir_name}" new_window_arg='' if [[ "$TEMP_PROFILE" = "yes" ]]; then user_data_dir=$(mktemp -d /tmp/awschrome_userdata.XXXXXXXX) fi if [[ "$NEW_WINDOW" = "yes" ]]; then new_window_arg='--new-window' fi # run aws-vault # --prompt osascript only works on OSX url=$(aws-vault login $profile --stdout --prompt osascript) status=$? if [[ ${status} -ne 0 ]]; then # bash will also capture stderr, so echo $url echo ${url} return ${status} fi mkdir -p ${user_data_dir} disk_cache_dir=$(mktemp -d /tmp/awschrome_cache.XXXXXXXX) /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ --no-first-run \ --user-data-dir=${user_data_dir} \ --disk-cache-dir=${disk_cache_dir} \ ${new_window_arg} \ ${url} \ >/dev/null 2>&1 & }
If you’re using Fish
Add the following as ~/.config/fish/functions/awschrome.fish
and restart your shell.
function awschrome -d "start a new chrome browser logged in to aws" # set to yes to create temporary profiles in /tmp # anything else will create them in $HOME/.aws/awschrome set -l TEMP_PROFILE "yes" # set to yes to always start in a new window set -l NEW_WINDOW "no" set -l profile "$argv[1]" if test -z "$profile" echo "Profile is a required argument" >&2 return 1 end # replace / and whitespace with __ set -l profile_dir_name (string replace -ar '[\W/]' __ "$profile") set -l user_data_dir "$HOME/.aws/awschrome/$profile_dir_name" set -l set new_window_arg '' if test "$TEMP_PROFILE" = "yes" set user_data_dir (mktemp -d /tmp/awschrome_userdata.XXXXXXXX) end if test "$NEW_WINDOW" = "yes" set new_window_arg '--new-window' end # run aws-vault # --prompt osascript only works on OSX set -l url (aws-vault login $profile --stdout --prompt osascript) if test $status -ne 0 # fish will also capture stderr, so echo $url echo $url >&2 return $status end mkdir -p $user_data_dir set -l disk_cache_dir (mktemp -d /tmp/awschrome_cache.XXXXXXXX) /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ --no-first-run \ --user-data-dir=$user_data_dir \ --disk-cache-dir=$disk_cache_dir \ $new_window_arg \ $url \ >/dev/null 2>&1 & end
3. Usage
You should now be able to run awschrome my-profile
to start a new browser window/session . You can run this with as many profiles as you want, and each one will start a new (independent) browser.