aws-extend-switch-roles
aws-extend-switch-roles copied to clipboard
tilfinltd
Add Support for AWS Multi-Session in aws-extend-switch-roles
AWS has introduced Multi-Session support for the console, allowing users to open multiple sessions with different roles in the same browser.
Documentation: AWS Multi-Session Support
It would be great if the aws-extend-switch-roles tool could support this new feature, enabling seamless integration with the AWS console.
Goal:
Enhance aws-extend-switch-roles to support Multi-Session functionality, allowing users to efficiently manage multiple AWS roles simultaneously.
Benefits: • Improved user experience by seamlessly managing multiple roles. • Increased productivity by reducing role-switching delays. • Full utilization of AWS’s new Multi-Session feature.
I'm encountering an issue with the multi-session feature in the AWS Management Console.
The folloing image shows the menu after I've already switched from my initial login account to another profile (account/role) with multi-session enabled.
From this state, clicking the "New role" link (circled in red in the image) to switch to yet another role doesn't seem to work. Is anyone else experiencing this?
@tilfin Just tried: it opened a new tab on the Switch Role page.
From this page, I tried to assume a role on another account
The selected session doesn't have permission to switch to that role
Since the page is opened with one of the “final” accounts using an assumed role, and not with the root account that has permissions to assume the “final” role, access is restricted.
@QuentinBtd Thanks!
It seems the root cause of this problem is that the AWS Management Console's multi-session feature now supports role chaining, which was not the case previously. This is not a problem, it's a specification change.
unsure what else would need to be altered but this regex would need to change https://github.com/tilfinltd/aws-extend-switch-roles/blob/main/src/js/popup.js#L201 const mdsd = aURL.host.match(/^(([a-z]{2}-[a-z]+-[1-9]).)?console.aws/);
something like
((\d+-\w+)\.){0,1}(([a-z]{2}\-[a-z]+\-[1-9])\.)?console\.aws
group2 is the 'new multi session' key group4 is the region
looking at https://developer.chrome.com/docs/extensions/develop/concepts/match-patterns
I'm unsure if the manifest.json match needs to be uplifted if it can't glob sub sub domains.
i.e.
"matches": [
"https://*.console.aws.amazon.com/*",
...
to
"matches": [
${repeat for all regions}
"https://*.${region}.console.aws.amazon.com/*",
...
From: chrome-extension://jpmkfafbacpgapdghgdpembnojdlgkdl/updated.html
AWS Extend Switch Roles - Update Notice
Multi-Session Support
Support for the new AWS Management Console "Multi-Session" feature, enabling simultaneous sign-in to multiple AWS accounts in different browser tabs. The AWS Management Console now supports simultaneous sign-in for multiple AWS accounts - AWS
- Maintain up to 5 different AWS account sessions in separate browser tabs
- Each tab's session is managed independently, allowing for more flexible operations
- Role chaining capability is now available. However, switch role targets are limited to the user context of the currently active browser tab.
- Keep your organization's main account tab open, and switch to the target roles to work from it as needed.
'Automatic tab grouping for multi-session' setting (Experimental, Supporters only)
This feature automatically organizes tabs from the same AWS Management Console multi-session into tab groups. When a tab group is removed, the corresponding session will be automatically signed out.
- Improves visibility by grouping tabs by profile name
- Tab group color is automatically selected from 9 fixed colors closest to the profile-defined color
- Supported only in Chrome and Edge versions that support tab groups
- We recommend using Delete group instead of Close Group as both actions will trigger session sign-out.
To open a new tab in the same group:
- Windows: Hold down the Control key while clicking a link
- macOS: Hold down the Command key while clicking a link
6.0.0 New version!
- Add support for multi-session on the AWS Management Console
- Add support for multi-level source profile references to enable role chaining
- Add experimental feature: Automatic tab grouping for multi-session for supporters
@duttonw Thanks!
The review has been completed and published on platforms other than Edge.
Thanks you!
Role chaining capability is now available. However, switch role targets are limited to the user context of the currently active browser tab.
I'm curious (I'm not a dev): do you know if it could possible to execute the "assume role" action from tab with the allowed context to assume role without the user displaying this tab?
I've found an issue with multi-session.
After logging in to a new session, I don't have anything in the AWS Extend Roles Extension Account List.
Browser is Chrome Version 132.0.6834.83 (Official Build) (arm64)
I have to refresh to get my list to show up.
I am hitting the error related to role chaining.
Switch failed: this session doesn't have permission to switch to target profile.
I understand how to avoid it, yet the workaround is less ergonomic than I would hope. This leads me to suspect I should configure aws-extend-switch-roles differently.
We have:
- a single login account
- 3x accounts for each environment: prod, stage, qa
We can assume-role into each environment account from the login account, but cannot (and have no reason to) assume-role from one env account to another.
Suppose I want to view our QA account, the workflow is:
- Open a new tab with AWS console. It is showing the PROD account.
- Click AWS Extend Switch Roles, click QA account.
- See the error.
Am I thinking about this wrong? I understand it's attempting to role-chain, but is there a configuration to prevent this? So that, when I click the QA account, I'm taken to the QA account? It needs to assume-role from login to QA, not from PROD to QA.
I know I can take extra steps to switch to a new session, switch that session into our login account, then switch from there to QA. If those steps are always necessary, then that's a bummer. Is there a better way?
@cspotcode, In the change notes it says:
Keep your organization's main account tab open, and switch to the target roles to work from it as needed.
Which works fine for me. I just pin the first tab from our login/identity account and use that throughout the day to launch tabs for other accounts. I agree this is different and a bit more cumbersome than previously, but if I understand AWS's implementation of multi-session correctly, this is the best this plugin can do for now.
also, once you have opened a 'session', you can open a new tab to that session on the normal aws user drop down menu. If you go back to 'standard' legacy console, it will give you a screen to choose which 'session' you wish to open instead.
After writing this comment https://github.com/tilfinltd/aws-extend-switch-roles/issues/358#issuecomment-2611147553
I now understand what is happening. AWS Extend Roles works ok on the main session where I logged in originally but not on any of the sub-account sessions. Hope that makes it clearer.
@cspotcode, In the change notes it says:
Keep your organization's main account tab open, and switch to the target roles to work from it as needed.
Which works fine for me. I just pin the first tab from our login/identity account and use that throughout the day to launch tabs for other accounts. I agree this is different and a bit more cumbersome than previously, but if I understand AWS's implementation of multi-session correctly, this is the best this plugin can do for now.
I've just chiiped $10usd one off as a 'supporter' which gives some extra features for 12 months.
- Automatic tab grouping for multi-Session (Experimental, Supporters only)
- Sign-in endpoint in current region (Experimental, Supporters only)
You can do auto grouping yourself but is lots of clicks (right click new/add to group ,etc) vs automatic.
What about an option to open the new session tab next to the active tab? I'm using tab groups and it's a pain because the new tab is open out of the group.
@cspotcode, In the change notes it says ...
Thanks for pointing this out. It took me a bit of time to build muscle memory for the new workflow, but I'm ok with it now.
Is there anyway to configure the extension to support more than 5 different AWS account sessions in separate browser tabs? I have several different accounts that I need to navigate between and would love to be able to see 8 or even 10 in the list.
@QuentinBtd My issue is not to have more than 5 logged in at a time, but at least to be able to configure > 5 and have them available from a drop down. Right now, even if I have > 5 configured in the extension, I only see the last 5 used, so if I want to login as account #8, I have to recreate the session definition by hand.
I don't know if there would be a way to support being able to see more than 5 selectable (but still only limited 5 concurrent sessions as per AWS).
@jgard That;s just it - do you have the AWS Multi-Session enabled? B/c when I do enable it, I get the following in the plugin view:
yet 5 of those roles (and matching colors) appear in my Muti-Session view:
@jgard ,
Multi Session requires you to swap to the 'master|central' account prior to being able to role swap again since the new 'system' allows role chaining which is a nice addition and gives much more control then it use to. Downside now is that switching from a child account that has no role swapping capabilities is now denied.
i.e.
[master]
aws_account_alias = master
aws_account_id = 999999999999
[admin child-account-1]
role_arn = arn:aws:iam::111111111111:role/Admin
source_profile = master
color = ff00d0
[admin child-account-2]
role_arn = arn:aws:iam::111111111112:role/Admin
source_profile = master
color = ff00d0
with the current setup, if i change into child-account-1, then look at the 'switch roles' plugin, i will see an empty list, but when i change back to the 'master' tab, it will show both child-account-1 and child-account-2.
If you remove the source_profile from your configuration, you will see all, but then it will 'try' to swap in account-1 and be given an access denied error.
Hope that makes sense.
Multi Session requires you to swap to the 'master|central' account prior to being able to role swap again since the new 'system' allows role chaining which is a nice addition and gives much more control then it use to. Downside now is that switching from a child account that has no role swapping capabilities is now denied.
It would be nice if we could configure the plugin to understand that, whenever I choose child-account-1, I want to first go to master and from there to child-account-1.
Then, if I am currently in child-account-2 and I click child-account-1, the plugin understands to do the right thing: go to master and then to child-account-1. This matches my intent, which is to switch correctly into child-account-1, not to chain from child-account-2 into child-account-1. Because I have set up my configuration to say that the latter is not possible and not desirable.
@cspotcode , I think that would be nice, but would also need other changes to show 'all' profiles available on ALL 'known' sessions which are active.
The code around https://github.com/tilfinltd/aws-extend-switch-roles/blob/main/src/js/content.js#L127C29-L127C40 could be altered to use the profile from the 'known' sessions which matches the source_profile for doing the switch instead of just the 'active tab' session url.
This may also get into issues if you 'sign-out' of a single session and the plugin is not notified.
Do you think this is possible @tilfin?
The review has been completed and published on platforms other than Edge.
Hi @tilfin - do you have any update or ETA for when this will also be updated for Edge?
Cheers
