Here’s how it goes: you’ve got a Chrome window open for your Production AWS account, and a Firefox window open for the Staging account. There’s a Safari window open for the Dev account, and an incognito Firefox window open for the Sandbox account. Buried somewhere in your dock’s 200 open windows is a Chrome incognito account for the other Sandbox account (because your org really, really cares about account-level separation), but by the time you manage to find it your session will probably be expired and you’ll have to go through the whole kerfuffle of signing in again.
I can’t explain to you why AWS decided to make their user experience like this — who am I to question the will of God? But I can offer you a solution: a simple, open-source CLI tool that’ll take you 10 minutes to install and will save you from AWS browser window hell forever.
Here’s how Granted CLI works. Run the
assume command in your terminal and pick which AWS profile to sign in to (in my case,
And in a few seconds, it’ll open a new tab in your browser of choice (in my case, Firefox):
Now let’s say you want to work in a second AWS account simultaneously. All you have to do is run the same command, this time selecting a different profile (in my case,
And then you’ll have a second tab open in a new container:
You can switch between these tabs to work in these accounts simultaneously with no extra hassle. Opening another profile is as simple as just running another command.
If you think this is as cool as we do, you can read our Getting Started guide to get set up with Granted — but to save you a click I’ll run through the MacOS instructions here (the Getting Started guide contains specific instructions for Linux and Windows, too).
First, you’ll need to set up at least once role in your AWS config file. On MacOS, this is stored in
~/.aws/config. A config file for AWS SSO should look something like this:
# ~/.aws/config # Change the values below to match your AWS SSO configuration # Granted uses the profile name: in this case 'my-profile' to choose the role. [profile my-profile] sso_start_url=https://mycompany.awsapps.com/start sso_region=us-east-1 sso_account_id=123456789012 sso_role_name=DeveloperRole region=us-east-1
(you can use AWS IAM too - but we recommend SSO.)
Once you’ve got that set up, you can use Homebrew to install Granted:
brew tap common-fate/granted brew install granted
And verify your installation:
➜ granted -v Granted v0.2.9
(mine is v0.2.9 at the time of writing — yours will probably be a later version)
Once you’ve verified that Granted is installed correctly, you can run the
assume command to get started with the setup wizard where you’ll be prompted to choose your browser.
After setup, you can run
assume again to choose roles:
You can also pass the role name directly and use the -c flag to open the console, e.g.
assume -c testing.
And that’s it! If you’ve got any questions, you can check out the docs or join our Slack where we’ll be happy to chat with you directly. And if you like Granted, you can follow our Twitter for updates and terrible jokes.