Launch the AWS Console from the CLI or a mobile phone

At ${DAYJOB} I happen to manipulate quite a few AWS accounts for different customers, and I find it really annoying to log out from one web console, to log into a new one, with the right credentials, account ids and MFA.

Here you can read a good blog post on how to enable cross account access for third parties and use a basic script to open a web browser to switch from one account to the other.
I liked this idea so I pushed it a bit further and wrote this small piece of code which allows you not only to switch accounts, but also to simply open any AWS account from the command line.

Tips to remember:

  • The cross account creation process is easier than it seems
    • Create a dedicated cross acount access role on the target
    • Take note of the created role ARN
    • On the source, allow the user to access the created role ARN
  • There’s nothing about this ExternalId mystery, it’s just a password really, and it is read from the URL the client passes, echo $((${RANDOM} * 256)) will do.
  • You can assumeRole to your own local account by simply creating a cross account role with the local account id

Update

Well I pushed it further. Kriskross can now be launched as a tiny web service so you can just copy & paste from your mobile MFA application directly into the mobile browser and thus avoid typos, the micro web server will launch the corresponding AWS session on your desktop.