Add Support for AWS Multi-Session in aws-extend-switch-roles

[tsgoff]

AWS has introduced Multi-Session support for the console, allowing users to open multiple sessions with different roles in the same browser.

Documentation: AWS Multi-Session Support

It would be great if the aws-extend-switch-roles tool could support this new feature, enabling seamless integration with the AWS console.

Goal:

Enhance aws-extend-switch-roles to support Multi-Session functionality, allowing users to efficiently manage multiple AWS roles simultaneously.

Benefits:
• Improved user experience by seamlessly managing multiple roles.
• Increased productivity by reducing role-switching delays.
• Full utilization of AWS’s new Multi-Session feature.

[audioe]

+1 please :)

[pimperator]

++ please

[trsludwig]

+++ please

[BobDu]

++++ please

[tilfin]

I'm encountering an issue with the multi-session feature in the AWS Management Console.

The folloing image shows the menu after I've already switched from my initial login account to another profile (account/role) with multi-session enabled.

From this state, clicking the "New role" link (circled in red in the image) to switch to yet another role doesn't seem to work.
Is anyone else experiencing this?

[QuentinBtd]

@tilfin Just tried: it opened a new tab on the Switch Role page.

From this page, I tried to assume a role on another account

The selected session doesn't have permission to switch to that role

Since the page is opened with one of the “final” accounts using an assumed role, and not with the root account that has permissions to assume the “final” role, access is restricted.

[tilfin]

@QuentinBtd Thanks!

It seems the root cause of this problem is that the AWS Management Console's multi-session feature now supports role chaining, which was not the case previously. This is not a problem, it's a specification change.

[duttonw]

unsure what else would need to be altered but this regex would need to change
https://github.com/tilfinltd/aws-extend-switch-roles/blob/main/src/js/popup.js#L201
const mdsd = aURL.host.match(/^(([a-z]{2}-[a-z]+-[1-9]).)?console.aws/);

something like
((\d+-\w+)\.){0,1}(([a-z]{2}\-[a-z]+\-[1-9])\.)?console\.aws

group2 is the 'new multi session' key
group4 is the region

looking at
https://developer.chrome.com/docs/extensions/develop/concepts/match-patterns

I'm unsure if the manifest.json match needs to be uplifted if it can't glob sub sub domains.

i.e.

"matches": [
        "https://*.console.aws.amazon.com/*",
...

to

"matches": [
${repeat for all regions}
        "https://*.${region}.console.aws.amazon.com/*",
...

[tanel-andreson]

+1 please

[duttonw]

From: chrome-extension://jpmkfafbacpgapdghgdpembnojdlgkdl/updated.html

AWS Extend Switch Roles - Update Notice

Multi-Session Support

Support for the new AWS Management Console "Multi-Session" feature, enabling simultaneous sign-in to multiple AWS accounts in different browser tabs.
The AWS Management Console now supports simultaneous sign-in for multiple AWS accounts - AWS

• Maintain up to 5 different AWS account sessions in separate browser tabs
• Each tab's session is managed independently, allowing for more flexible operations
• Role chaining capability is now available. However, switch role targets are limited to the user context of the currently active browser tab.
• Keep your organization's main account tab open, and switch to the target roles to work from it as needed.

'Automatic tab grouping for multi-session' setting (Experimental, Supporters only)

This feature automatically organizes tabs from the same AWS Management Console multi-session into tab groups. When a tab group is removed, the corresponding session will be automatically signed out.

• Improves visibility by grouping tabs by profile name
• Tab group color is automatically selected from 9 fixed colors closest to the profile-defined color
• Supported only in Chrome and Edge versions that support tab groups
• We recommend using Delete group instead of Close Group as both actions will trigger session sign-out.

To open a new tab in the same group:

• Windows: Hold down the Control key while clicking a link
• macOS: Hold down the Command key while clicking a link

6.0.0 New version!

• Add support for multi-session on the AWS Management Console
• Add support for multi-level source profile references to enable role chaining
• Add experimental feature: Automatic tab grouping for multi-session for supporters

[tilfin]

@duttonw Thanks!

The review has been completed and published on platforms other than Edge.

[QuentinBtd]

Thanks you!

Role chaining capability is now available. However, switch role targets are limited to the user context of the currently active browser tab.

I'm curious (I'm not a dev): do you know if it could possible to execute the "assume role" action from tab with the allowed context to assume role without the user displaying this tab?

[Alan111S]

I've found an issue with multi-session.

After logging in to a new session, I don't have anything in the AWS Extend Roles Extension Account List.

Browser is Chrome Version 132.0.6834.83 (Official Build) (arm64)

I have to refresh to get my list to show up.

Just after logging in:-

After Refresh:-

[cspotcode]

I am hitting the error related to role chaining.

Switch failed: this session doesn't have permission to switch to target profile.

I understand how to avoid it, yet the workaround is less ergonomic than I would hope. This leads me to suspect I should configure aws-extend-switch-roles differently.

We have:

• a single login account
• 3x accounts for each environment: prod, stage, qa

We can assume-role into each environment account from the login account, but cannot (and have no reason to) assume-role from one env account to another.

Suppose I want to view our QA account, the workflow is:

• Open a new tab with AWS console. It is showing the PROD account.
• Click AWS Extend Switch Roles, click QA account.
• See the error.

Am I thinking about this wrong? I understand it's attempting to role-chain, but is there a configuration to prevent this? So that, when I click the QA account, I'm taken to the QA account? It needs to assume-role from login to QA, not from PROD to QA.

I know I can take extra steps to switch to a new session, switch that session into our login account, then switch from there to QA. If those steps are always necessary, then that's a bummer. Is there a better way?

[jgard]

@cspotcode,
In the change notes it says:

Keep your organization's main account tab open, and switch to the target roles to work from it as needed.

Which works fine for me. I just pin the first tab from our login/identity account and use that throughout the day to launch tabs for other accounts. I agree this is different and a bit more cumbersome than previously, but if I understand AWS's implementation of multi-session correctly, this is the best this plugin can do for now.

[duttonw]

also, once you have opened a 'session', you can open a new tab to that session on the normal aws user drop down menu. If you go back to 'standard' legacy console, it will give you a screen to choose which 'session' you wish to open instead.

[Alan111S]

After writing this comment #358 (comment)

I now understand what is happening. AWS Extend Roles works ok on the main session where I logged in originally but not on any of the sub-account sessions. Hope that makes it clearer.