AWS AlwaysOn is a browser extension that allows users that use Google Workspace (gsuite) as an IDP provier to AWS, to easily maintain sessions to the AWS console and get temporary STS credentials.
This extension can be used as an alternative to aws-google-auth and doesn't require inputing credentials as long as your Google account is logged in, nor does it suffer from constant Captcha.
The extension was developed for Chrome but works mostly fine on all major browsers except Safari which was untested.
- Refresh AWS Web Console session automatically to keep user logged in.
- Get temporary credentials for assumed role to use for CLI access.
- Automatically update local aws credentials file.
Available directly on Chrome Web Store and Add-ons for Firefox:
* Should technically work with any chromium based browser.
Google Chrome:
Clone this repository.
Go to the Chrome Extensions page.
Enable Developer Mode on the right side of the page.
Press "Load Unpacked".
Pick the project folder.
Mozilla Firefox:
Delete the regular manifest.js and rename the manifest-firefox.js to manifest.js
Go to Addons and themes in the hamburger menu.
Click the wheel and then Debug Add-ons.
Click Load Temporary Add-on... and select the manifest.json file.
First you will need to configure some properties in the Options menu. Each property has additional info that you can read to help you set it up properly.
When you are done, press the Save button and exit the Options menu.
Now you can add your user's IAM role or roles.
Click on the slider to start the token auto refresh procedure.
After enabling the refresh you can also click on the CLI button to get the temporary STS credentials.
Runs a minimalistic webserver on 127.0.0.1:31339 that listens requests for updates from the extension, then makes sure that on every manual/automated refresh of the credentials, the local credentials file gets updated as well.
To enabled this feature, click the toggle in the options menu.
Tested on Windows 11 22H2 and Ubuntu 20.04LTS
cd awsao
go build
sudo install.sh / install.cmd (elevated cmd shell)
- Must be run as
rootornt_authority\systemuser since it can update data for multiple user accounts and needs privileges to get the correct information about networking and processes. - logs requests to a log file, located in /var/log/aosvc.log or c:\ProgramData\aosvc\aosvc.log. If run manually in windows, will create the log in the same directory it's run from.
Full changelog is available here.
Tested and working on:
Chrome - v101
Brave - v1.38.111
Edge - v101
Opera - v86
Firefox - v100
- (Edge) Options UI is smaller than the elements.
- (Opera) Options UI opens in a full tab.
- (low) Make the IAM role session timeout fallback to 3600 if configured more than maximum allowed.
- (low) Add 2nd tier role assumption (using https://signin.aws.amazon.com/switchrole)
- (very_low) Build options menu dynamically like I did with the roles menu.
- Central Settings Management (random thought):
- add "settings are managed by an administrator" checkbox. if true; hide all the regular options. add new option called "management server url". on save, add additional permission to fetch from management_server_url. fetch settings from server(streaming connection?) and update local settings. add option to disable the toggle for management server url(make the toggle one-way).
- create a microservice that gets a request and responds with parameters(extention will pass email). Microservice will be in the customer's datacenter for now.
https://developers.google.com/admin-sdk/directory/v1/guides/manage-users
create roll mapping (group(in gsuite)-role(manual/get from gsuite with api key?)).
- Preset commands (using the client)