aws-toolkit-vscode icon indicating copy to clipboard operation
aws-toolkit-vscode copied to clipboard

Published 20 hours ago verified publisher icon aws

Use Account Names on AWS IAM Identity Center Session Alongside ID

Open imaginaryCorn opened this issue 1 year ago • 5 comments

Problem

The AWS IAM Identity Center integration doesn't show account names for the sessions to select, only the account ID and permissions set.

Expected behavior

Both the session sellect screen and the current session tooltip on the bottom of VSCode should show the account name and ID, just as the Identity Center start page does, to ensure users know exactly which named account they are logged into.

imaginaryCorn avatar Nov 30 '23 20:11 imaginaryCorn

show the account name and ID, just as the Identity Center start page does

Can you clarify exactly what's meant by "account name and ID"? On the IdC page I see these fields:

  • Instance name
  • Instance ID
  • Organization ID

justinmk3 avatar Dec 01 '23 20:12 justinmk3

Just came here to make the same request. Assuming you're using aws sso list-accounts and aws sso list-account-roles under the hood, let's say I get something back from list-accounts like:

{
    "accountList": [
        {
            "accountId": "111122223333",
            "accountName": "My Company Dev",
            "emailAddress": "[email protected]"
        },
        {
            "accountId": "444455556666",
            "accountName": "My Company Prod",
            "emailAddress": "[email protected]"
        }
    ]
}

and from list-account-roles (one call for each account)

{
    "roleList": [
        {
            "roleName": "Administrator",
            "accountId": "111122223333"
        },
        {
            "roleName": "Developer",
            "accountId": "111122223333"
        }
    ]
}

{
    "roleList": [
        {
            "roleName": "ReadOnly",
            "accountId": "444455556666"
        }
    ]
}

Then, I would expect the list of available credentials to read something like:

  • My Company Dev - Administrator (111122223333)
  • My Company Dev - Developer (111122223333)
  • My Company Prod - ReadOnly (444455556666)

That would be templated as .accountName - .roleName (.accountId) for each account/role combination, with a fallback to .accountId - .roleName if .accountName wasn't provided.

Does that track with what you're looking for @imaginaryCorn?

mrburrito avatar Jan 05 '24 19:01 mrburrito

+1 for this -- account IDs in the AWS Toolkit are just data noise. We need the account names for the UI to make sense -- or the local profile names from .aws/config would be even better.

Edit: Also needed for IntelliJ too -- I use both. 😉

ianjukes avatar Feb 07 '24 13:02 ianjukes

I'm not sure how feasible it is, but I would love to see local profiles and authorizations from SSO deduplicated as well. I have profiles configured for CLI access to most, if not all, of the accounts I use from my company's SSO login and it's a lot of noise seeing every account twice. That may be a heavier lift since I'm not sure you have all the info available to dedupe. If you do, I'd prefer to see the locally defined profile and hide that same account/role combination from the SSO list.

Maybe an option to disable showing the SSO accounts and only show local profiles would solve that? Then I could easily manage what is and isn't visible and cut down on noise.

mrburrito avatar Feb 07 '24 13:02 mrburrito

I have profiles configured for CLI access to most, if not all, of the accounts I use from my company's SSO login and it's a lot of noise seeing every account twice.

I 100% agree with this -- I have all accounts twice. More noise! 😊

ianjukes avatar Feb 07 '24 13:02 ianjukes