Include account alias in list of roles

[cslawrence-uiowa]

In many cases, our IDs will have access to multiple AWS accounts. It would be very useful to have account alias in addition to account number displayed on the list of roles.

[JonRoma]

We found that the account alias did not appear consistently from account to account, but this is perhaps a function of our institution acquiring our AWS access through a third-party. We've done a little digging into this but haven't followed it through. It is something we would like as well if it is possible to get account aliases consistently.

We'll probably look at this again. Thanks for reminding us!

[ddriddle]

The relevant Amazon account IDs and roles are returned by the IdP to the plugin via a SAML Response. Unfortunately, the IdP does not return each account IDs' alias.

The only way I know of looking up the account alias is to perform an API call using AWS credentials. This can be done with the following command for example:

$ aws iam list-account-aliases

Unfortunately, this requires IAM permissions, therefore we can not automate the process because we can not guarantee that any set of credentials has the necessary permissions. Nor would I feel comfortable having the plugin automatically checking out multiple user credentials and running an API call on their behalf before the user has even had the chance to select a role.

I think there are two possible solutions:

1. Create a map, stored in a file, that the user can manually, or semi-automatically, maintain that contains a list of IDs and their corresponding aliases. The tool could look at the map and substitute a string if it exists. This would not be hard to implement. @cslawrence-uiowa Does this meet your use case?
2. A second option, that I can think of, is to have an additional mapping defined in the SAML Response that lists both the account IDs and their relevant aliases. This would require extra work on the part of your IdP operator. We would have to agree on a standard format as this would be outside the scope of the Amazon standard. I am not an expert in SAML so I'm not sure if this would work or if it would break things with Amazon. @kwessel Do you think this approach could work? @cslawrence-uiowa do you think your IdP operator would be willing to do the extra work necessary to implement this? If so I think this would be the cleanest way to handle the problem.

[JonRoma]

@ddriddle, I agree that this would be really nice to have if it were easy to produce, but it could easily become a big can of worms for large institutions such as illinois.edu, which probably has or will soon have hundreds of subaccounts. And only our Überadministrator would have sufficient privileges to collect the data. We should probably dig to see if he can collect this data using a process that's not insecure before we figure out what to do with it!

For whatever little it's worth, I'd like to see both the account number and alias, but I guess that might be premature.

[cslawrence-uiowa]

@ddriddle I think the plan you present in option 1 is probably best, given that it would work basically out of the box. It would certainly meet my use case, and if it stores it in a file, like you're proposing, then we could export it, etc.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[chrisortman]

@edthedev aby interest in reviving this? I might be able to find some time to push it over the hill if

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[JonRoma]

I would certainly like a status report on this, and I still think that usability would be improved by not having to memorize AWS account numbers.