aws-sso-cli icon indicating copy to clipboard operation
aws-sso-cli copied to clipboard
verified publisher icon synfinatic

specify AWS service to open with console command

Open synfinatic opened this issue 3 years ago • 1 comments

be able to say aws-sso console s3 or aws-sso console ec2 or whatever might be pretty cool?

synfinatic avatar Jun 23 '22 22:06 synfinatic

For this to work, need to build a map of friendly names "IAM" to console service names "iamv2".

synfinatic avatar Jul 28 '23 18:07 synfinatic

Less maintenance with a generic --path which would litterally just be appended eg. /ec2 or /inspector/v2

seldon007 avatar Jun 26 '25 08:06 seldon007

I know this is an old issue @synfinatic but this would be really helpful to have. Many time there are accounts that are used for mainly one service, like Athena or S3 or Route53 or ECR. It would be cool to be able to define the the url to drop into. AWS permission sets in IAM Identity center have this and that allows specifying the whole URL in a setting called Relay State, example https://eu-central-1.console.aws.amazon.com/athena/home?region=eu-central-1#/query-editor. The AWS built in only works for the SSO portal afaik and then also is same for all the SSO Roles created in all accounts.

For low maintenance I concur with @seldon007 that it would be better to allow users to define their own paths including subpaths to go directly exactly where then go most often. One security restriction should be that the RelayState should only support the domain and subdomains of console.aws.amazon.com like

Valid:

  1. https://eu-central-1.console.aws.amazon.com/athena/home?region=eu-central-1#/query-editor
  2. https://console.aws.amazon.com/route53/v2/hostedzones

Invalid:

  1. https://google.com
  2. https://facebook.com

I imagine the flow being like

~/.aws-sso/config.yaml

DefaultRegion: eu-central-1

SSOConfig:
  Default:
    Accounts:
      # Route53 account
      111111111111:
        Name: domains
        RelayState: https://console.aws.amazon.com/route53/v2/hostedzones
        Roles:
          Admin: {}

$ export AWS_PROFILE=domains:Admin
$ aws-sso console

Should do the auth flow and then open up https://console.aws.amazon.com/route53/v2/hostedzones

Maybe as an extra feature, aws-sso-cli could also find the relay_state defined in the permission set by the admins and use that as fallback if not defined in the config by the user? If both are not defined then do the usual it does right now to open the main console. But that's not extra and not necessary to have.

Moulick avatar Aug 16 '25 13:08 Moulick

ack.

synfinatic avatar Aug 18 '25 22:08 synfinatic