By using AWS re:Post, you agree to the Terms of Use

AWS SSO Current Account Name

8

When I use AWS SSO to switch to AWS account I am able to see only my user name and current assumed role in account (AWSPowerUserAccess/martin@example.com), but I don't see account name or account alias name. So I am not able to simply verify in which account I am switched, is it production, is it development? If I want to check current account I have to go to IAM Console and check its alias (if I have reuired permissions) or I have to go to SSO index and switch to desired account again. Is it possible to configure SSO to show account name together with user and role in navigation bar?

We were previously using roles switching where we were able to use Display Name for account. thanks

  • Exactly running into the same problem, before editing something in a test account I have to check twice that I am not changing production, this costs a lot of time

  • Huge +1 for adding the account name somewhere that's always visible. Without this, the possibility of human error for modifying the wrong resources is way too high. GCP puts the project name on the header of all pages, where it should be.

3 Answers
1

Hey there,

When setting 'Display Name' while switching role, what you're actually doing is setting the value for 'RoleSessionName'. When you assume a role through federation, this value is set for you by the federation broker.

E.g. In a traditional AD FS federation scenario, AD FS would set this for you via Claim Rules that your AD FS administrator would configure.

AWS SSO sets this value for 'RoleSessionName' and at this point in time, you cannot alter the value. The value is a combination of the name of the IAM Role being assumed, and the value of the email attribute of the directory user assuming the role.

Some suggestions on working around this would be to:

  • Use the drop-down to the top-right of the Management Console (where you see the RoleSessionName) and you will see the Account Number. If you have the numbers & name combinations documented, then that could work.
  • You could grant users very minor access to the Account Info page. Just enough to see the Account Name.
  • Or as you mentioned, just simply have users check the account number of the account that they're in against the account number & account name that they can see in the AWS SSO 'My Apps' page.
profile picture
answered 8 months ago
  • Hello Ciaran, thanks for the answer. We are currently using combination of all threw mentioned possibilities you've mentioned. Also we try to automate as much as possible to reduce to needs of manual work in AWS console. But we still need to be able to work in AWS console in case some like incident response and in that situation in would be really helpful to see always the account name in which I am currently working which would perfectly fit to navigation bar together with current assumed role and email. Can I submit it somewhere as feature request?

  • Hi @Ciaran Carragher, could you please explain more how you would achieve the second point, where can I find the account name?

  • We've also just set up AWS SSO having been using aws switch role plugin, and it's really disconcerting not to be able to see the current account name clearly at a glance. It would be a great improvement to display the account name somewhere clearly at all times. Looking up an account name from the account number is not ideal when you have 10s or 100s of accounts to manage.

  • Just wanted to +1 the feature-request for displaying the account name in the top-right dropdown. We're currently testing SSO as an alternative to IAM accounts for our engineers. We don't have that many accounts; however, some teams do frequently switch between a handful of them. This lack of visibility of the current account is the only thing giving me pause to fully committing to the switch, along with the lack of a single button to switch to another account (if that is available, please let me know).

  • Huge +1 on this as well. I'm working to migrate from the "switch role" method to using Control Tower and this is by far the biggest complaint I get from my development team. The ability to look at a glance if you're in the production / sandbox environment (with color coding) is an essential action they all take before making changes.

1

+1 on this please. It is a must-have for me as well.

answered 24 days ago
0

+1 on this. It is very inconvenient to just force every user to check account id all the time and unsafe to rely on it.

answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions