IAM Identity Center: AWS Management Console and AWS Account Context

0

We are in the process of setting up a new fleet of AWS accounts, and have configured federated access from our IdP via IAM Identity Center. It works very well.

What is lacking, however, is useful context within the AWS Management Console to clearly identify where the user is operating at the time.

The AWS Portal provides a very convenient and useful list of accounts (with their proper names) and available roles. Here is an obfuscated example:

An Example of the AWS Portal

When we use any of the links from this page, we jump directly into one of our accounts via the relevant Permission Set. The only context that we see is quite unhelpful, and I have concerns that anybody in our team could easily forget which account they are working in, leading to mistakes of varying consequence. The only information that seems to be readily available is the information shown under the 'current user' drop-down in the top-right of the console, which only shows the not very helpful account identifier.

An Example of the current user drop-down

We'd really like a way of clearly seeing the account name, perhaps in the header bar, ideally along with a color (like you can configure with AWS role switching). Basically what we had via old-school IAM with role switching. Does anybody know if this is a thing, or if there is something that I'm missing

2 Answers
1
Accepted Answer

I use this Chrome extension to make it easier to identify the account I am working on.
https://chrome.google.com/webstore/detail/aws-peacock-management-co/bknjjajglapfhbdcfgmhgkgfomkkaidj

Currently, IAM Identity Center does not have any special settings for identification, so the only way is to use the above extension.

profile picture
EXPERT
answered 9 months ago
profile picture
EXPERT
reviewed 9 months ago
profile pictureAWS
EXPERT
reviewed 9 months ago
profile picture
EXPERT
reviewed 9 months ago
  • That is exactly what I need! It is a bit of a shame that this capability is not native to the AWS Management Console, but a plug-in extension is a very good option to have.

    Thank you for the response.

0

My Friend, There is no native AWS option as of yet to identify which account you are in when you login via SSO, but here are few tricks that may help. (Note - adding account alias will also not help)

Trick 1 - If there are few account you login most of the times, then you can enable colour theme for the brower - Login to AWS account via SSO -> on the top right corner --> Role/User --> Settings --> Display --> Visual Mode --> Dark for 1 ACC. and White for Another..

Trick 2 - Prefer using Standard Naming convention for all resources like EC2, EKS, ALB, EBS, SG, IAM, etc. example -- CountryCode-Account-Environment-Application-Resource-AZ Eg. (IN-AXCESS-PROD-APP2-EC2-1B) (IN-AXCESS-DEV-APP1-EC2-1A) (IN-AXCESS-CICD-JENKINS-EC2-1) and (IN-AXCESS-CICD-JENKINS-EC2-1-SG)

Hope this helps.

answered 9 months ago
  • I'm not sure that trick 1 scales well to more than a couple of accounts. Also, I'm not sure how the specific resource naming helps identify at-a-glance which console you are in, unless you are suggesting that we name each Permission Set resource according to the target account (which seems to go a bit against the benefit of reusable cross-account permission sets). Thank you for the suggestions, though.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions