Using aws-vault with mulitple browser windows

14/05/2018
14/05/2018 Ben Bridts

Using aws-vault with mulitple browser windows

If you’re using AWS with a lot of accounts, you quickly notice that it’s not very user friendly to have to frequently switch between accounts in your browser. You will probably run into one or more of these limitations

  • You can only be logged into one account at the time (leading to using of multiple browsers and/or incognito windows).
  • The console only remembers the last 5 roles you used.
  • When using federated login, you need to sign out before you can switch between roles.

You can work around a few things by using bookmarks or a page with links, but that’s still not very user friendly

Using the CLI is a lot easier. You define your configuration in .aws/config and you can use it every time by adding the --profile flag.

In this blog post I will describe a way to use your cli config to log into different AWS accounts in parallel. Allowing you to use the names you already know from cli usage to access the console. This solution was inspired by this page of the aws-vault quick guide written by Fernando Miguel.

Prerequisites

This guide will assume:

  • You’re using OSX (it shouldn’t be very hard to convert the scripts to Windows or Linux though)
  • You’re using Google Chrome

1. Install and configure aws-vault

AWS Vault is a command line tool that does a few things. It allows you to store credentials in the keyring of your Operating System and it has a few commands to easily use these credentials (eg. by assuming a temporary session and exposing them as environment variables). We want to use it to use the aws cli configuration to log into the console.

The ReadMe has installation and usage instructions. By the end of it you should be able to run aws-vault exec my-profile aws sts get-caller-identity.

Having setup AWS Vault, it’s now possible to run aws-vault login my-profileto open the aws console for the configured account. This solves having to bookmark / type the right settings everytime we need to switch accounts, but the two other limitations are still valid.

2. Create a shell function to start Google Chrome profiles

Our next step will be to start a new Google Chrome browser window, with a new profile (so it’s independent from already running sessions). This can be done by adding --user-data-dirto the arguments. To make this easy, we will do this with a shell function.

If you’re using Bash

Add the following code to your ~/.bashrc and run source ~/.bashrc.

If you’re using Fish

Add the following as ~/.config/fish/functions/awschrome.fish and restart your shell.

3. Usage

You should now be able to run awschrome my-profileto start a new browser window/session . You can run this with as many profiles as you want, and each one will start a new (independent) browser.