Easy as SSO tooling with Granted AWS

No doubt about it, AWS SSO (or should I say IAM Identity Centre?) is a great addition to the overall access management and security in AWS. But, as you mature in the cloud with a touch of AWS Organizations and dash of well-architected framework you’ll soon have many AWS accounts and managing all of those accounts kind of sucks.

I should mention, I really didn’t want to change tooling again, I was using a bunch of different tools to manage CLI and web access and the thought of configuring a new tool or tools didn’t sound like a fun time but I was also very much over the default tools from AWS.

What’s the problem?

OK, let’s set the scene using the example above, you have multiple AWS accounts in the same organization. Let’s say you have development, non-production and production accounts, each one being a separate AWS account.

Web Console

Using a browser (choose your poison) jump over to your AWS SSO start url and select the account and role to access the management console. This should launch a new tab or window with the management console for that account, now do it again for another account…the previous sessions is no longer valid. Let’s say you wanted to compare development to production in the management (pretty common), you can’t easily do that (incognito / private).

Local CLI

This one is less of issue but you can use the aws cli to start sessions using your organization SSO just fine. It can just get out of control quickly when you have many accounts, you have to review your config or just remember the names of your profiles.

Previous workarounds

Before SSO there were (are) a few brilliant projects out there that really helped out:

AWS Extend Switch Roles Chrome browser extension

This is a neat tool that would label your browser session with a different colour and name which made it obvious which account you were in. I really enjoyed this part of the extension as well as being able to switch accounts easily. It didn’t support AWS SSO sometime ago but there is mention of it now.

AWS Extend Switch Roles Screen Shot

YAWSSO cli tool

A handy little tool to sync up your SSO session tokens with the old style AWS CLI tokens to make it work with other tools like AWS CDK.

You start to get the idea, this is just a couple of examples, I didn’t mention any vault or azure login tools which come to mind. The state of account access and management is spread across many different projects and is a delicate ecosystem.

If I were to summarize what a solution might look it:

  • Handle multiple concurrent sessions in the web based management console
  • Easily identify which account and role you’re using
  • A better way to manage CLI access for multiple accounts without having to remember all of the details
  • Ideally one tool to manage the lot without workarounds for syncing etc

Like most problems I started with the typical search for AWS SSO CLI and console related tools to help out. One of the write-ups that stood out for me was from Corey Quinn - taking aws logins for granted (fun fact: the title of this article was almost identical without me even noticing, you win this round Corey). The article really hit home the problems I was having and suggested the use of Granted (github link) (Granted.dev has some nice info).

Now for me, Granted really solved all of the shortcomings in the AWS CLI and web management console particularly around multiple accounts but also added a few nice features I didn’t know I needed until now…

Granted AWS Logins

When I think about Granted it does everything that I wanted and more, it’s super easy to install, super easy to configure and super easy to use. I’m not going to go into much detail on the install and configuration, the Granted docs are excellent and say it better than I can.

I’m going to assume you already have the aws CLI configured, I won’t really be talking about creating configs in details.

Installation on MacOS is a simple brew tap and install, this will add the developer repo and install the Granted tools. Once it’s installed you’ll need to run through the configuration.

Before you begin I strongly recommend installing Firefox for your browser as containers are better than Chrome’s incognito. Do you self a favour and install Firefox.

Once you’ve installed Granted the configuration is pretty simple, you’ll notice a program granted which can be run from the terminal. When you run this the first time a CLI wizard will guide you through the steps to auto-configure your granted setup using your existing aws configs and add the extension to your browser.

This typically takes less than a minute.

Configuration done….

To use granted you will use the assume command from the terminal, the assumecommand will provide a list of profiles that you would like to assume. If you don’t have a valid token already it will run you through the login setups (similar to AWS SSO), if you do have a valid session it will refresh your token.

Here is a screen shot from the granted docs showing what happens when you run assume, notice the dropdown like menu, this is ordered by frequency (configurable):

A screenshot of Granted showing a selection menu for AWS profilesIf you want to start an AWS web management console session you just add a parameter assume -c. The screenshot from the granted docs below showing what Granted looks like in the browser:

A screenshot of the AWS Console on Firefox with two tabs: the first tab is blue and is the ‘role-a’ profile, and the second tab is orange and is the ‘role-b’ profile

Notice the different colour lines in the tabs, one is blue and one is orange, notice the role-b in orange with an icon. Helping you to identify which session you are in but also allow concurrent sessions, each running in it’s own firefox container.

You wanted more?

Like I said, Granted does much more and most of the options are configurable to some extent:

And the list goes on…

Final thoughts

Stop what you’re doing and setup Granted, not tomorrow, not next week, just do it now. I promise it is a simple as it sounds and you’ll be wishing you had done it sooner. Everything just works and it greatly improves your workflow and easier to work with others using it also. Be sure to check to the Granted docs if you want specifics on what was discussed today. Shout out to Corey from Last Week In AWS for the initial write up which got me headed in the right direction.

Do you have an alternative that works for you? Maybe better than Granted? Please share, I’d love to hear from others about what works for them.

Credits: Article photo by Studio Blackthorns on Unsplash

Related Posts

Project templating for cloud

    Project templating for cloud

    So you’ve started using AWS CDK, you’ve shipped a few projects, you’ve shared your findings with your team and now they’ve started using CDK…then you start to notice the subtle differences in how developers have created their projects, dot files, style, folder structure and the usage of custom constructs.

    Read more

    AWS Lambda Graviton2, cheap and slow

    I was pretty pumped when I saw the announcement for AWS Lambda Graviton2 support for a couple of reasons, performance and cost.

    Read more

    Hackster AWS Reinventing Healthy Spaces Challenge

    We are only a couple of days away from finding out the results to the Hackster AWS Reinventing Healthy Spaces Challenge.

    Read more