Access to AWS
We use AWS IAM Identity Center (formerly AWS Single Sign-On) to manage access to our AWS accounts. This guide helps you set up browser-based and command-line access to AWS.
Things to consider
Recommended practice
Use the role with the least privileges needed for your task. If you're just browsing the AWS Console, a read-only role is likely sufficient. This prevents accidental changes and follows the principle of least privilege.
Before you begin
Make sure you have ok and the AWS CLI installed, and that your Microsoft account has been granted access to one or more AWS accounts. Contact Team Utviklerflyt if you need help with any of this.
Step 1: Verify browser-based access
Access the AWS web interface ("AWS Console") by following these steps:
- Visit https://osloorigo.awsapps.com/start
- Sign in using your Microsoft account
- Verify that you have access to one more AWS accounts
Step 2: Configure command-line access
The AWS CLI reads settings from profiles in an $HOME/.aws/config file. Each profile tells the CLI which AWS account and role to use, and includes settings like your default region and how to authenticate.
AWS CLI Profile
A profile is a named set of settings that tells the AWS CLI how to access AWS resources. You can have multiple profiles on your computer, each representing access to a different AWS account or role. For example, you might have one profile for admin access to your development account, and another for read-only access to production.
You can define these profiles manually, but it gets tedious when you have multiple accounts and roles. The ok command generates profiles automatically with consistent naming:
- Install the AWS CLI if you haven't already.
- Generate AWS CLI configuration by running the following command - your default web browser will automatically open and ask for access as part of the process:
ok aws generate \
--sso-start-url "https://osloorigo.awsapps.com/start" \
--sso-region "eu-west-1" \
--template 'ok-{{.AccountName}}-{{if eq .RoleName "AWSAdministratorAccess"}}admin{{else if eq .RoleName "OrigoReadOnlyAccess"}}read{{else}}{{.RoleName}}{{end}}'
- Copy the content between the two
---markers in the command output into your$HOME/.aws/configfile. Create the file if it doesn't already exist. - Run
aws sso login --sso-session origoto get a valid SSO access token. - Run
aws --profile "<profile-name>" sts get-caller-identityto check that you're able to assume a specific IAM role in a specific account, replacing<profile-name>with one of the profiles in your AWS CLI configuration file.
After this setup, you'll have a profile for each AWS account and role combination. Use these profiles with the AWS CLI by setting the AWS_PROFILE environment variable or using the --profile flag. The shell snippets below make it easier to switch profiles.
Step 3: Improve the command-line experience (optional)
We recommend adding these small functions to your $HOME/.bashrc or $HOME/.zshrc:
-
Add a shell function
ssothat makes it easy to switch between AWS CLI profiles on the command-line: -
Add a shell function
sso-browserthat makes it easy to open the AWS Console in your browser for a selected AWS CLI profile:function sso-browser() { local sso_start_url sso_role_name sso_account_id url local profile=$(aws configure list-profiles | fzf) sso_start_url="https://osloorigo.awsapps.com/start" sso_role_name="$(aws configure --profile "$profile" get "sso_role_name")" sso_account_id="$(aws configure --profile "$profile" get "sso_account_id")" url="$sso_start_url/#/console?account_id=$sso_account_id&role_name=$sso_role_name" if command -v xdg-open >/dev/null 2>&1; then xdg-open "$url" elif command -v open >/dev/null 2>&1; then open "$url" else echo "Failed to open default web browser" >&2 echo "Visit the following URL to log in: $url" fi } -
Add a snippet to your shell configuration file that gives you a nice-looking prompt that displays the active AWS profile (if any) in your prompt:
Questions or issues? Reach out in #utviklerflyt-support on Slack.