Hacker News new | ask | show | jobs
by sameg14 1351 days ago
Multiple AWS accounts makes life a living nightmare. We have 38 AWS accounts and it is incredibly difficult to maintain each one of them. IAM and even worse cross account IAM is horrible to author and maintain! Keeping track of resource limits and billing sucks. When using SSO, which we do, you cannot have more than one account open in the same browser at the same time. Use GCP instead, segregate your infra by project, use cloud identity/IAM and keep the head of hair you had in your 20s! You've been warned...
5 comments
avereveard 1351 days ago
You don't need to sso in each and every account, you can just have a user in the main org (or at any point in the org tree that is most appropriate) and assume the role within the account you want to manage.
link
zeroimpl 1351 days ago
The browser will only remember the last 5 roles you’ve assumed, so it’s still a pain.
link
rcrowley 1351 days ago
That UX is atrocious.

Substrate [1] instead presents you with a list of all your accounts with a link to assume your role in that account in the AWS Console (and parallel tools for assuming that role in a terminal, too).

[1] <https://src-bin.com/substrate/>

link
sameg14 1351 days ago
We use Okta and put ppl in groups so I'm not sure if that would work.
link
scubbo 1351 days ago
> When using SSO, which we do, you cannot have more than one account open in the same browser at the same time.

http://willthames.github.io/2018/02/28/managing-multiple-aws...

You're welcome :)

link
rcrowley 1351 days ago
Curious / product research: Are your 38 accounts all in the same organization? Do you have any human IAM users left or is it all IdP, all the time? Do you use Terraform or anything like it?

Also, yes, a pox on the single-player AWS Console. I’ve at least found a way to logout from one account and login to another in the same motion but it’s still a poor experience.

link
sameg14 1351 days ago
Yeah all accounts are in the same OU. We do have human IAM users but those are "legacy". Nowadays Okta has been the preferred method of accessing AWS console and CLI. We do use terraform but that is also fragmented since each team has the freedom to innovate in their own way. People use CDK, SAM, CloudFormation, Terraform etc. This fracturing of IaC techniques has been a natural consequence of having too many silos aka. accounts and has made it hard to enforce consistency. I think having 2 or 3 accounts is probably ok for a small to medium size org. We are 96 humans so far.
link
rcrowley 1351 days ago
Interesting. Thanks for the detailed response. Another, positive way to look at one aspect of your architecture is that the AWS account boundary prevents most cases of dueling configuration management, with two tools changing the same resource back and forth forever.
link
MayeulC 1351 days ago
I guess you could use Firefox container tabs?
link
eddie8848 1351 days ago
This open source project might just be what you are looking for https://docs.commonfate.io/granted/introduction/
link
andreacavagna 1350 days ago
That nightmare is the reason why I started my OSS project https://github.com/Noovolari/leapp
link