AWS Multi-account access with Granted
This article was also posted on the Knack engineering blog.
When starting Knack in 2015, an early decision we made was to use AWS as our primary cloud provider. We started with a single AWS account with separated environments managed within. The ecosystem and guidance from AWS around the use of accounts changed rapidly with AWS Organizations functionality becoming available in 2017 and AWS Control Tower in 2018. As Knack grew and we started on SOC 2 compliance efforts in 2020, we identified that we needed to restructure from a single account to a Control Tower managed multi-account setup that would enable us to most appropriately manage and govern accounts.
Working across multiple AWS accounts is complicated. Instead of one account, we now have 14 accounts, not counting individual developer sandbox accounts. We use Terraform exclusively for defining and managing configuration but would still frequently need to log in to the AWS Console on different accounts to use services like the ECS console or CloudWatch. Maintaining different browser profiles or trying to switch between accounts within the context of a single browser session was frustrating.
Then we discovered Granted from the team over at Common Fate. It’s a wonderful open source CLI utility that enables rapidly logging in to AWS in a console window. It also makes use of Firefox’s Multi-account Containers for having different tabs logged into the AWS Console side-by-side in a single Firefox window.
With Granted and its CLI command assume
in use, a common workflow for us now looks like:
- Configure various AWS accounts and role profiles in
~/.aws/config
. Let’s sayknack-prod
is a configured profile. - In a terminal window, run
assume knack-prod
. This will open the desired browser to perform SSO with AWS and log in. - Run
assume knack-prod -c
to open a Firefox tab with the console. You can use the-s
command to rapidly launch to specific services as well likeassume knack-prod -s cw
to launch to CloudWatch orassume knack-prod -s iam
to go to IAM. These browser tabs can live alongside each other for rapid switching.
Tabs in Firefox display with different colors and names in the address bar based on AWS profile:
The various profiles can be customized as a part of the Multi-Account container functionality in Firefox:
There are some other useful features in their docs to check out that we haven’t made use of yet like Profile registries for sharing profile configurations within a team. Give Granted a try if you need a simpler way to manage accessing multiple AWS accounts!