Logo

dev-resources.site

for different kinds of informations.

Deep Linking AWS Console with all your AWS IAM Identity Center Roles

Published at
8/17/2024
Categories
aws
iam
security
identity
Author
gabrielkoo
Categories
4 categories in total
aws
open
iam
open
security
open
identity
open
Author
10 person written this
gabrielkoo
open
Deep Linking AWS Console with all your AWS IAM Identity Center Roles

Simplifying AWS IAM Identity Center Role Management

As an AWS Community Builder, I'm always looking for ways to streamline cloud management tasks. Today, I'm excited to share a tool I've developed to make AWS IAM Identity Center (formerly AWS SSO) role management easier and more efficient: the AWS IAM Identity Center Access Role Portal:

https://iamidentitycenterroles.us-east-1.com/

(I am the owner of the domain us-east-1.com, and it's not directly affiliated with AWS.)

What is AWS IAM Identity Center?

As per the official docs,

AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications.

It's easier to manage than using traditional IAM Users for accessing AWS Console/CLI, where you have to configure the users/role manually in every AWS account that you own. With AWS IAM Identity Center, you can configure/delegate the same role(s) into multiple Organization AWS Accounts in one go.

The Challenge

If you do need to access multiple AWS accounts via different IAM roles in your day to day job, switching to different roles across multiple AWS accounts can be a troublesome task, especially for organizations with numerous teams and projects.

One traditional way would be to use the IAM "Switch Role" feature. It requires you to create an AWS IAM user in one AWS account, then create the IAM roles in each of the "target" AWS accounts where you wish to access manually one by one.

Thankfully, with AWS IAM Identity Center, you can access the roles from different AWS accounts within the same AWS Organization in a centralized way. Users can switch between different AWS Account IAM roles effectively.

Further if you work for multiple organizations (say you are a consultant or your company has several subsidiaries), you may need to access different AWS Organizations within a single day. In this case, you have to navigate between multiple AWS Identity Center access portals in order to get access to various AWS resources.

Thanks to AWS, there is a new Shortcut feature

Thankfully, in 2024 April, AWS also released a new shortcut feature) within AWS IAM Identity Center:

New

With the simple form, you can generate a deep URL link that once accessed, authenticates you to the AWS IAM Identity Center organization, assumes the IAM access role, and optionally redirects you back to a page within AWS Console.

For example, you may look at this sample deep linking URL



https://gabrielkoo.awsapps.com/start/#/console?
  account_id=123456789012&
  role_name=DeepracerRole&
  destination=https%3A%2F%2Fus-east-1.console.aws.amazon.com%2Fdeepracer%2Fhome%3Fregion%3Dus-east-1%23models


Enter fullscreen mode Exit fullscreen mode

Which when URL-decoded, it becomes:



https://gabrielkoo.awsapps.com/start/#/console?
  account_id=123456789012&
  role_name=DeepracerRole&
  destination=https://us-east-1.console.aws.amazon.com/deepracer/home?region=us-east-1#models


Enter fullscreen mode Exit fullscreen mode

Generalizing it, it becomes:



https://<IDENTITY_CENTER_ALIAS>.awsapps.com/start/#/console?
  account_id=<AWS_ACCOUNT_ID>&
  role_name=<SSO_ACCESS_ROLE>&
  destination=<AWS_CONSOLE_CALLBACK_URL>


Enter fullscreen mode Exit fullscreen mode

The Solution

Based on the problem above, I created the AWS IAM Identity Center Access Role Portal - it is a lightweight, client-side web application that provides a unified interface for managing AWS IAM Identity Center's access roles - and most importantly it supports multiple AWS Organizations.

Let's take a closer look at its features and benefits.

Easy Role Management

The portal presents all your roles in a clear, tabular format:

Role List

From this single view, you can:

  • See all roles across different Identity Center aliases and AWS accounts
  • Quickly access the AWS console for any role
  • Edit role details
  • Clone a role record to a new record
  • Delete roles when they're no longer needed
  • Export and import as URLs: this is particular useful if you want to share a list of deep links to your teammates!

Streamlined Role Creation

Adding a new role is as simple as clicking a button and filling out the form:

New Record Creation

The form even allows you to paste a shortcut link (with the new feature) generated from AWS IAM Identity Center to pre-fill values, saving you time and reducing the chance of errors.

So when does it help?

When integrated with other AWS Console's pages that offers deep linking, you would just can't imagine all the possibilities that it might unblock.

For example, you have an AWS System Manager managed EC2 instance that serves as the company VPN.

Your team grows and the VPN instance often suffers from memory leak - and you know the best way is to reboot it. You have been running a Systems Manager runbook AWS-RestartEC2Instance for a while. One day you reserves an urgent request to fix the VPN as one of your business user is doing an external demo with an internal site that requires VPN connectivity.

Every second for the "reboot fix" matters.

Instead of these long steps...

  1. Log into AWS IAM Identity Center
  2. Pick the right AWS Account
  3. Pick the Access Role
  4. Get into AWS Console
  5. Navigate to EC2 Console
  6. Pick your instance
  7. Click "Restart"

You can just

  1. Click a new deep linked URL
  2. Log into AWS IAM Identity Center
  3. Execute a Systems Manager automation document with all parameters pre-filled: ```

https://us-east-1.console.aws.amazon.com/systems-manager/automation/execute/AWS-RestartEC2Instance?
region=us-east-1#InstanceId=&AutomationAssumeRole=


It's much more handy than the initial 7-step way!

## Security First

As an AWS Community Builder, I understand the critical importance of security, especially with this entry point of AWS Console. The IAM Identity Center Access Role Portal has been designed with security as a top priority:

1. **Client-Side Only:** The entire application runs in the browser. There's no server-side component, which means there's no additional infrastructure to secure and maintain.

2. **No Backend Data Storage:** The portal doesn't store any sensitive information. It's a pure interface tool that interacts directly with your AWS environment. Data is stored in your browser's local storage only.

3. **Leverages Existing AWS Security:** By using AWS IAM Identity Center, the tool inherits AWS's robust security measures, such as multi-factor authentication and fine-grained permissions if you use AWS Identity Center's managed user directory.

## Easy Deployment

Because the Access Role Portal is a static web application, deployment is straightforward. You can just use my version as-is, or download the static files from my GitHub repository.

## Onboard your colleagues much faster

With my tools' import & export functions, AWS account admins can prepare a list deep linked URLs of different accounts and console pages, export it and share to your organization's new joiners. Now they can get access to various team resources much easier, which just copy pasting:

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/o17e002nyq5vpg2u058r.png)

Then, you no longer need to team your new colleague every time on "how to access the CloudWatch Log group for that Lambda function?" - You can just share them the exported URL and the will have the book marks imported in their portal already.

Try [this sample exported link](https://iamidentitycenterroles.us-east-1.com#data=W3siaWQiOiIxNzIzMzUzNjA4Nzk3IiwiaWRlbnRpdHlDZW50ZXJBbGlhcyI6ImdhYnJpZWxrb28iLCJhY2NvdW50SWQiOiIxMzU3OTI0NjgxMDEiLCJyb2xlTmFtZSI6IkRlZXByYWNlciIsImRpc3BsYXlOYW1lIjoiRGVlcHJhY2VyQWNjZXNzIiwicmVkaXJlY3RVcmkiOiJodHRwczovL3VzLWVhc3QtMS5jb25zb2xlLmF3cy5hbWF6b24uY29tL2RlZXByYWNlci9ob21lP3JlZ2lvbj11cy1lYXN0LTEjbW9kZWxzIn0seyJpZCI6IjE3MjMzNTM5MjUxOTEiLCJpZGVudGl0eUNlbnRlckFsaWFzIjoiY29tcGFueWIiLCJhY2NvdW50SWQiOiIyMzQ1Njc4OTAxMjMiLCJyb2xlTmFtZSI6Ik5ldHdvcmtFbmdpbmVlciIsImRpc3BsYXlOYW1lIjoiTmV0d29ya0VuZ2luZWVyLUIiLCJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdXMtZWFzdC0xLmNvbnNvbGUuYXdzLmFtYXpvbi5jb20vdnBjL2hvbWU/cmVnaW9uPXVzLWVhc3QtMSJ9LHsiaWQiOiIxNzIzMzUzOTM2MDQzIiwiaWRlbnRpdHlDZW50ZXJBbGlhcyI6ImNvbXBhbnljIiwiYWNjb3VudElkIjoiMzQ1Njc4OTAxMjM0Iiwicm9sZU5hbWUiOiJTZWN1cml0eUFuYWx5c3QiLCJkaXNwbGF5TmFtZSI6IlNlY3VyaXR5LUMiLCJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdXMtd2VzdC0xLmNvbnNvbGUuYXdzLmFtYXpvbi5jb20vZ3VhcmRkdXR5L2hvbWU/cmVnaW9uPXVzLXdlc3QtMSJ9LHsiaWQiOiIxNzIzMzUzOTQ2MTI3IiwiaWRlbnRpdHlDZW50ZXJBbGlhcyI6ImNvbXBhbnlkIiwiYWNjb3VudElkIjoiNDU2Nzg5MDEyMzQ1Iiwicm9sZU5hbWUiOiJDbG91ZEFyY2hpdGVjdCIsImRpc3BsYXlOYW1lIjoiQXJjaGl0ZWN0LUQiLCJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdXMtZWFzdC0yLmNvbnNvbGUuYXdzLmFtYXpvbi5jb20vY2xvdWRmb3JtYXRpb24vaG9tZT9yZWdpb249dXMtZWFzdC0yIn0seyJpZCI6IjE3MjMzNTM5NTU0ODIiLCJpZGVudGl0eUNlbnRlckFsaWFzIjoiY29tcGFueWUiLCJhY2NvdW50SWQiOiI1Njc4OTAxMjM0NTYiLCJyb2xlTmFtZSI6IkRldk9wc0VuZ2luZWVyIiwiZGlzcGxheU5hbWUiOiJEZXZPcHMtRSIsInJlZGlyZWN0VXJpIjoiaHR0cHM6Ly9hcC1zb3V0aGVhc3QtMS5jb25zb2xlLmF3cy5hbWF6b24uY29tL2Vjcy9ob21lP3JlZ2lvbj1hcC1zb3V0aGVhc3QtMSJ9LHsiaWQiOiIxNzIzMzUzOTEwOTM3IiwiaWRlbnRpdHlDZW50ZXJBbGlhcyI6ImNvbXBhbnlhIiwiYWNjb3VudElkIjoiMTIzNDU2Nzg5MDEyIiwicm9sZU5hbWUiOiJEYXRhYmFzZUFkbWluIiwiZGlzcGxheU5hbWUiOiJEQkFkbWluLUEiLCJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdXMtd2VzdC0yLmNvbnNvbGUuYXdzLmFtYXpvbi5jb20vcmRzL2hvbWU/cmVnaW9uPXVzLXdlc3QtMiJ9XQ==) in an incognito tab!

## Conclusion

The AWS IAM Identity Center Access Role Portal demonstrates how simple tools can significantly improve our cloud management workflows. By providing a clear, unified interface for role management, it saves time, reduces errors, and enhances security.

As an AWS Community Builder, I'm committed to sharing knowledge and tools that help the community. I hope this portal will be useful for other AWS administrators dealing with multi-account environments.

The code for this project is open-source and available on GitHub <https://github.com/gabrielkoo/aws-iam-identity-center-shortcut-portal>. I welcome contributions and feedback from the community to make this tool even better.

Remember, effective IAM management is crucial for maintaining a secure and efficient AWS environment. Tools like this can help, but they should always be used in conjunction with AWS best practices and regular security audits.

Happy cloud computing!
Enter fullscreen mode Exit fullscreen mode
identity Article's
30 articles in total
Favicon
Deploying and Configuring a Hybrid Identity Lab Using Bicep - Part 1: Active Directory Setup and Sync
Favicon
It’s cybersecurity’s kryptonite: Why are you still holding it?
Favicon
How to secure minimal api microservices with asp.net core identity
Favicon
How to verify NIN for Nigerians on the ecitizen platform.
Favicon
Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions
Favicon
Google identity Platform
Favicon
Why Broken Links Are Costing You Brand Deals (And How to Fix It)
Favicon
How To Get There: Bridging The Technology Gap Preventing You From Adopting A Secrets-free Machine Identity Framework
Favicon
5 go-to-market lessons I learned from driving a developer-led growth product
Favicon
Revolutionizing Identity Resolution with Machine Learning: A Technical Overview
Favicon
Social Media Security: How to Protect Your Online Identity
Favicon
The Future of Web: How Web5 Transforms Identity and Data OwnerShip
Favicon
Private Self-Hosted OIDC AWS Authentication
Favicon
Opaque token vs JWT
Favicon
Implementing ASP.NET Identity for a Multi-Tenant Application: Best Practices
Favicon
Color palette in branding: How Logto generate a custom color scheme for your brand
Favicon
Concepts of a Ticket in ASP.NET Identity
Favicon
Understanding Single Sign-On (SSO) and SAML: Simplified
Favicon
When should I use JWTs?
Favicon
Bring your own sign-in UI to Logto Cloud
Favicon
Create a remark plugin to extract MDX reading time
Favicon
Everything you need to know about Base64
Favicon
How does the browser process the URL input in the address bar?
Favicon
Deep Linking AWS Console with all your AWS IAM Identity Center Roles
Favicon
Are You Prepared for the Next Cyber Attack? - IDArmor
Favicon
heaviside and Identity in PyTorch
Favicon
Is magic link sign-in dying? A closer look at its declining popularity
Favicon
Crafting Your Developer Identity: A Blueprint for 2024 🌟
Favicon
Use React.lazy with confidence: A safe way to load components when iterating fast
Favicon
Personal access tokens, machine-to-machine authentication, and API Keys definition and their real-world scenarios

Featured ones: