Nederlands

How-To: Access multiple AWS accounts at the same time using AWS-vault and google chrome

Danny Steenman Principal Consultant
Publicatiedatum: 16 december 2021

If you’re running in a situation when you need to manage more and more AWS accounts for clients, it can become a challenge when you’re using the AWS console frequently. By default, you’re using 'switch roles' to gain access to a different account.

The problem is that you can only access one account at a time (maybe two if you’re using an incognito browser window). The browser session in the AWS Console only remembers the last 5 roles that you’ve accessed. You need to manually switch the role if you plan to work in another account. This can be quite annoying and slow when you plan to work on the 6th account that day and have to enter the details manually again.

So what could solve this issue?

By using aws-vault in combination with a custom shell script, we’re able to open as many browser windows with separate AWS Console sessions.

Before we can start, we need to have the following tools installed:

·       AWS CLI version 2
·       AWS Vault
·       Antibody
·       Google Chrome

 

1. INSTALL AWS CLI VERSION 2

AWS has a detailed document which explains how to install it for your specific OS: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

Note: If you’re using a MacOS in combination with Homebrew you can install it simply by running the command:

brew install awscli

 

2. CONFIGURE SSO

In our use case we manage roles using SSO. That means we need to set up the SSO profile in our AWS Configuration

Another detailed doc provided by AWS explains how to configure SSO in your CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

As an example, this is what it looks like in your ~/.aws/config file when you’ve set up SSO:

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 123456789011
sso_role_name = AssumeRole
region = eu-west-1
output = json

The ~/.aws/config file eventually contains all profiles in which you’d want to have access to using an assumed role (the source_profile is linked to the my-sso-profile in this case).

[profile customer1]
region = eu-west-1
role_arn = arn:aws:iam::012345678910:role/Cross-Account-RO
source_profile = my-sso-profile
 
[profile customer2]
region = eu-west-1
role_arn = arn:aws:iam::012345678912:role/Cross-Account-RO
source_profile = my-sso-profile
 
[profile customer3]
region = eu-west-1
role_arn = arn:aws:iam::012345678913:role/Cross-Account-RO
source_profile = my-sso-profile

 

3. SETUP AND CONFIGURE AWS-VAULT

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

We can install this simply with Homebrew again:

brew install --cask aws-vault

AWS-vault allows us to access the profiles we have stored in ~/.aws/config by using the command aws-vault list:

aws-vault list
Profile                 Credentials          Sessions
=======                 ===========          ========
my-sso-profile          -                    -
customer1               -                    -
customer2               -                    -
customer3               -                    -

It also allows us to execute any given AWS CLI command against the chosen AWS profile e.g.

aws-vault exec customer1 -- aws s3 ls
 
2021-01-07 15:15:15 cf-templates-je37cz8bcfe3-eu-west-1
2021-01-07 15:15:32 config-bucket-015746102065

Note: The first time you might see a pop-up from your MacOS keychain asking you to create a password. That’s because AWS-vault will try to create a keychain database to store your active sessions. 

In the above example, we use the customer1 profile to fetch the S3 buckets from the account. We can open up different shells and change profiles on the go. We also want the ability to do that in the browser by opening different AWS Accounts in different browser windows. AWS-vault provides a command which does that: "aws-vault login customer1". But the downside is that it can open only one browser session at the same time.

 

Danny knows how

 

4. CREATE ZSH FUNCTION TO OPEN THE AWS CONSOLE IN CHROME WITH AWS-VAULT 

Now that we’ve set up AWS-vault including the AWS profiles. We now want an efficient way to open the AWS console and run multiple different sessions. Before we can do that we need to add the following function (source: Cloudar blog and was slightly modified) in our ~/.bashrc or ~/.zshrc file and reload your session:

>function awschrome {
    # set to yes to create one-time use profiles in /tmp
    # anything else will create them in $HOME/.aws/awschrome
    TEMP_PROFILE="yes"
 
    # set to yes to always start in a new window
    NEW_WINDOW="no"
 
    aws_profile="$1"
    if [[ -z "$aws_profile" ]]; then
        echo "aws_profile is a required argument" >&2
        return 1
    fi
 
    # replace non word and not - with __
    profile_dir_name=${aws_profile//[^a-zA-Z0-9_-]/__}
    user_data_dir="${HOME}/.aws/awschrome/${profile_dir_name}"
    new_window_arg=''
 
    if [[ "$TEMP_PROFILE" = "yes" ]]; then
        user_data_dir=$(mktemp -d /tmp/awschrome_userdata.XXXXXXXX)
    fi
 
    if [[ "$NEW_WINDOW" = "yes" ]]; then
        new_window_arg='--new-window'
    fi
 
    # run aws-vault
    url=$(aws-vault login $aws_profile --stdout)
    aws_status=$?
 
    if [[ ${aws_status} -ne 0 ]]; then
        # zsh will also capture stderr, so echo $url
        echo ${url}
        return ${aws_status}
    fi
 
    mkdir -p ${user_data_dir}
    disk_cache_dir=$(mktemp -d /tmp/awschrome_cache.XXXXXXXX)
    /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
        --no-first-run \
        --user-data-dir=${user_data_dir} \
        --disk-cache-dir=${disk_cache_dir} \
        ${new_window_arg} \
        ${url} \
      >/dev/null 2>&1 &
}

 

From this point on you can invoke a standalone chrome browser window with your profile of choice. Using the awschrome command you can invoke as many sessions as you want in independent browsers.

✦2 ❯ awschrome customer1
[2] 16157
~
✦ ❯ awschrome customer 2
[3] 16239

 

5. ADD AWS-VAULT AUTOCOMPLETE IN YOUR TERMINAL

To make your AWS profile discovery easier, we need to implement a plugin that allows you to fetch your AWS profiles in the terminal with a single tab.

We need to install antibody first:

brew install antibody

Then create a zsh plugin dotfile in your home folder:

touch ~/.zsh_plugins

Then add the following line to the file:

echo 'dannysteenman/aws-vault-zsh-plugin' > ~/.zsh_plugins

Then add the following configuration in your ~/.zshrc file:

# Load Antibody configurations
antibody bundle <~/.zsh_plugins

Reload your terminal and the plugin should get installed automatically. That’s it! Now you get autocomplete when you invoke either awschrome or AWS-vault in your command line!

Meer weten? Neem contact op met Bart.

We delen graag kennis en koffie.

Let's talk
CloudNation, Contact met Bart
Danny Steenman Principal Consultant
Publicatiedatum: 16 december 2021

Meer kennis, updates en howto's over de cloud