AWS SSO with Google Chrome profiles

Mapping AWS profiles to Chrome profiles

Published: Wednesday, Oct 16, 2024 Last modified: Monday, Dec 9, 2024

When working on different AWS accounts with different clients, my strategy is to keep them separated with browser profiles.

It’s non-trivial to list profile names in the Chrome UI or perhaps I don’t know how to do it!

❯ cd "$HOME/Library/Application Support/Google/Chrome"
❯ ls -d1 Prof*
'Profile 1'
'Profile 2'
'Profile 13'
chrome://version showing profile

I test each profile to work out the correct client profile like so:

open -na "Google Chrome" --args --profile-directory="Profile 13" https://example.com

Furthermore when using aws configure sso it appears non-trivial to select say “Profile 13”.

Selecting the browser profile

I’ve figured out how to do this with https://www.granted.dev/

brew tap common-fate/granted
brew install granted

Then you might need to alias assume.

The configuration is gnarly but it works:

❯ cat .granted/config
DefaultBrowser = "CHROME"
CustomBrowserPath = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
CustomSSOBrowserPath = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
Ordering = ""
ExportCredentialSuffix = ""

[SSOBrowserLaunchTemplate]
Command = "\"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\" {{ .URL }} --args \"--profile-directory=Profile 13\" "

[Keyring]
Backend = "keychain"

When it’s working, you should be able to switch between roles running assume, and unlike aws sso login it should open the correct browser profile.

TODO figure out how to make a map between browser profiles and AWS profiles.

References