On the AWS Console, it’s challenging to display different AWS accounts at once, for example, to compare settings visually. As soon as another account credentials are loaded into the browser, the previous session is immediately suspended, with this well-known message :
Using Firefox: Containers!
One unique feature of AWS is the Containers. Each container basically creates an isolated browser space, independent from the other. Any session cookie or local storage data remains in the chosen container.
We’re taking the Containers to our Advantage, each account is tight to a given container, hence AWS is blind about parallel sessions.
Firefox Extension: Multi-Accounts Extension
This is an official Mozilla Firefox extension allowing you to easily manage the containers configured at the browser level. You can retrieve its source code on GitHub or directly install it from the official firefox extensions portal.
Once opened, create as many extensions as required, with a given color code. Then to open a new container, you can use the right-click menu for any link
The created tab will automatically get a color, with additional information at the right side of the address bar.
I’m asked to reauthenticate while opening on another container ?
The created container is free from existing cookies or local storage. Here’s why you need to reauthenticate once.
Automate Firefox Container redirects with Contanerise
This additional extension detects any pattern (regular expression) on the URL being browsed, and will automatically redirect it into a selected container. It will be useful in order to automate opening links into a specific container.
Get it from the Firefox Extension Portal or retrieve the source code on GitHub.
The process is pretty straightforward, select an existing container name in the top-down menu, then click on the + button. You’re prompted for a regular expression to match within the URLs browsed.
I use the AWS account number to match multiple containers. AWS Alias account names can also be used, whether you’re using the standard console or AWS Organizations portal.
Using Chrome
Incognito Mode
There are less options available for Chrome. One of them is to use the Incognito Mode to open another session, however you can only open one incognito session at a time.
Chrome : Multiple User Profiles
Another solution is to create several chrome user-profiles and login into each account in a separate user profile.
Using the CLI
AWS-Vault, Oh My ZSH and Powerlevel10k
When working with the CLI, it’s always safer to explicitly display when AWS Credentials are being loaded in the environment. A good example of integration is the combination of AWS-Vault, Oh My ZSH, and the theme PowerLevel 10k.
AWS-Vault
This is a multiplatform tool used to store securely your AWS credentials within the computer’s keychain and manage your AWS CLI sessions via STS.
You can initiate a Session via the AWS-vault exec command. Once the authentication is completed, an STS token is generated and stored on the compter’s keychain, and as an environment variable.
AWS-Vault can authenticate with AWS Organizations SSO Portals too.
We will use the AWS_VAULT environment variable to alter the prompt displayed with the relevant information.
Oh My Zsh + PowerLevel10k
This is a fancy ZSH shell customization that comes with a lot of plugins. Used with PowerLevel 10k, you can get a colorful shell with multiple practical data elements. This will allow us to get prompt information with the loaded AWS-Vault profile.
Install both Oh My ZSH and PowerLevel 10k, via the repository documentation. Do not forget to enable PowerLevel10k in your ZSH configuration.
Let’s setup PowerLevel10k by editing the .p10k.zsh file
1- By default, the AWS Profile information will only be displayed for some commands. Comment out the line POWERLEVEL9K_AWS_SHOW_ON_COMMAND to always show the profile on the CLI.
2- Tell Powerlevel what type of accounts you want to match. The matching is made via a regex on the AWS_Vault environment variable. Each account type will have its color.
3- For each account type, specify the color you want to display
Two color codes needs to be specified :
- Foreground
- Background
Here are the color codes you can use, assuming that your terminal is able to display 256 colors
4- Finally, let’s declare to PowerLevel how to retrieve the information about the current AWS-Vault profile being loaded (remember the environment variable ?)
Conclusion
We’ve seen different ways to work simultaneously with several AWS Accounts. Getting the information displayed on the screen is key to avoiding operational accidents.
