Repository files navigation

Extend your AWS IAM switching roles by Chrome extension, Firefox add-on, or Edge add-on

Switch role history only stores the last 5 roles (maximum) on the AWS Management Console.This extension shows a menu of switchable roles that you can configure manually.

• Supports the Sync feature on all sorts of browsers
• Not support switching between AWS accounts you sign into with AWS SSO or SAML solution providers directly
• Experimental support formulti-session on the AWS Management Console

A browser plug-in goes with security risks. AWS Management Console allows you to manipulate your essential data.

This extension does not restrict the use of other compatible browsers. The version restrictions are only due to the JavaScript language features used.

• AWS Extend Switch Roles - Chrome Web Store
• AWS Extend Switch Roles :: Add-ons for Firefox
• AWS Extend Switch Roles - Microsoft Edge Addons

Left-click the extension, click "Configure", enter your configuration in the text box, and click "Save".You can write the configuration in INI format like~/.aws/config or~/.aws/credentials.

The simplest configuration is for multipletarget roles when you always intend to show the whole list.Target roles can be expressed with arole_arn or with bothaws_account_id androle_name.

• color - The RGB hex value (without the prefix '#') for the color of the header bottom border and around the current profile.
• region - Changing the region whenever switching the role if this parameter is specified.
• image - The uri of an image to use on top of any color attribute supplied. The color and image are not mutually exclusive.

[profile marketingadmin]role_arn = arn:aws:iam::123456789012:role/marketingadmincolor = ffaaee[anotheraccount]aws_account_id = 987654321987role_name = anotherroleregion=ap-northeast-1[athirdaccount]aws_account_id = 987654321988role_name = athirdroleimage = "https://via.placeholder.com/150"

More complex configurations involve multiple AWS accounts and/or organizations.

• A profile specified by thesource_profile of the others is defined as abase account.

• If your account is aliased, you specifyaws_account_alias inbase account.

• If anrole_name is specified in abase account it will also check for the role that is used to login to AWS. This can be used to select a subset of accounts when you are using an SSO IdP to login to AWS. If a role name starts withAWSReservedSSO_, the value should be only thepermission set name.

• Atarget role is associated with abase account by itssource_profile specifying the profile name of the base account.

• As above,target roles can be expressed with arole_arn or with bothaws_account_id androle_name and can optionally pass the optional parameters.

• Iftarget_role_name is set inbase account, the value is provided as the default role name for eachtarget roles.

• Iftarget_region is set inbase account, the value is provided as the default region for eachtarget roles.

[organization1]aws_account_id = 000011112222aws_account_alias = your-account-alias ; If your account is aliased[Org1-Account1-Role1]role_arn = arn:aws:iam::123456789012:role/Role1source_profile = organization1[Org1-Account1-Role2]aws_account_id = 123456789012role_name = Role2source_profile = organization1[Org1-Account2-Role1]aws_account_id = 210987654321role_name = Role1source_profile = organization1[baseaccount2]aws_account_id = 000000000000[Base2-Role1]role_arn = arn:aws:iam::234567890123:role/Role1source_profile = baseaccount2[AnotherRole]role_name = SomeOtherRoleaws_account_id = account-3-alias;; target_role_name example;[Org2-BaseAccount]aws_account_id = 222200000000target_role_name = Developer[Org2-Account1-Developer]aws_account_id = 222200001111source_profile = Org2-BaseAccount[Org2-Account2-Manager]aws_account_id = 222200002222role_name = Manager ; overrides target role namesource_profile = Org2-BaseAccount;; base account with role_name example;[Org3-BaseAccount1]aws_account_id = 333300000000role_name = Entry-Role-1 ; Role for Federated Login, or User to login[Org3-BaseAccount2]aws_account_id = 333300000000aws_account_alias = mycompanyrole_name = custom_permission-set ; DO NOT set AWSReservedSSO_custom_permission-set_0123456890abcdef[Org3-Account1-Role1]aws_account_id = 333300001111role_name = Role1source_profile = Org3-BaseAccount1[Org2-Account2-Role2]aws_account_id = 222200002222role_name = Role2source_profile = Org3-BaseAccount2

If you sign-in a base account, target roles of the other base accounts are excluded.

The 'Show only matching roles' setting is for use with more sophisticated account structures where you're using AWS Organizations with multiple accounts along with AWS Federated Logins via something like Active Directory or Google GSuite. Common practice is to have a role in the master account that is allowed to assume a role of the same name in other member accounts. Checking this box means that if you're logged in to the 'Developer' role in the master account, only member accounts with a role_arn ending in 'role/Developer' will be shown. You won't see roles that your current role can't actually assume.

• Hide account id hides the account_id for each profile.
• Show only matching roles filters to only show profiles with roles that match your role in your master account.
• Automatic tab grouping for multi-session (Experimental, Supporters only) automatically organizes tabs from the same AWS Management Console multi-session into tab groups. The tab group name will be the corresponding profile name. When a tab group is removed, the corresponding session will be automatically signed out.
• Sign-in endpoint in current region (Experimental, Supporters only) instead ofsignin.aws.amazon.com when you browse a non-global page in AWS Management Console. For those working geographically far from Virginia, the switch role may be a little faster.
• Automatically assume last assumed role (Experimental) automatically assumes last assumed role on the next sign-in if did not back to the base account and signed out.temporarily disabled
• Configuration storage specifies which storage to save to. 'Sync' can automatically share it between browsers with your account but cannot store many profiles. 'Local' is the exact opposite of 'Sync.'
• Visual mode specifies whether light mode or dark mode is applied to the UI appearance.

• Config sender extension allowed by theID can send your switch roles configuration to this extension.'Configuration storage' forcibly becomes 'Local' when the configuration is received from a config sender.See how to make your config sender extension.