AWS SSO with Google Chrome profiles
Mapping AWS profiles to Chrome profiles
Published: Wednesday, Oct 16, 2024 Last modified: Thursday, Nov 14, 2024
When working on different AWS accounts with different clients, my strategy is to keep them separated with browser profiles.
It’s non-trivial to list profile names in the Chrome UI or perhaps I don’t know how to do it!
❯ cd "$HOME/Library/Application Support/Google/Chrome"
❯ ls -d1 Prof*
'Profile 1'
'Profile 2'
'Profile 13'
I test each profile to work out the correct client profile like so:
open -na "Google Chrome" --args --profile-directory="Profile 13" https://example.com
Furthermore when using aws configure sso it appears non-trivial to select say “Profile 13”.
Selecting the browser profile
I’ve figured out how to do this with https://www.granted.dev/
brew tap common-fate/granted
brew install granted
Then you might need to alias assume.
The configuration is gnarly but it works:
❯ cat .granted/config
DefaultBrowser = "CHROME"
CustomBrowserPath = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
CustomSSOBrowserPath = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
Ordering = ""
ExportCredentialSuffix = ""
[SSOBrowserLaunchTemplate]
Command = "\"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\" {{ .URL }} --args \"--profile-directory=Profile 13\" "
[Keyring]
Backend = "keychain"
When it’s working, you should be able to switch between roles running assume, and unlike aws sso login it should open the correct browser profile.
TODO figure out how to make a map between browser profiles and AWS profiles.