A few months ago AWS Identity Centre relesed a feature to generate links to AWS Console Pages in member Accounts.
Using this feature in your CI workflow really improves the Developer Experience, being able to go straight from a Deployment Error in GitHub to the AWS Console can be a great way to streamline debugging the issue.
Their isn't an API to generate these these so you'll have to start constructing them yourself.
The format for the url
/#/console?account_id=$AWS_ACCOUNT_ID&role_name=$ROLE_NAME&destination=$CONSOLE_URL
The url parameter role_name
is optional, if you don't specify it then the
person following the link will be asked to choose a Role when entering the
Account.
https://[your_subdomain].awsapps.com/start/#/console?account_id=[account_ID]&role_name=[permission_set_name]&destination=[destination_URL]
I've found using jq
to be a reliable way to URL Encode the Parameters we need
to append.
urlencode () { jq -Rr @uri <<< $1 ;}
A useful places to start an investigation from is CloudTrail.
CLOUDTRAIL_CONSOLE_URL="https://${AWS_REGION}.console.aws.amazon.com/cloudtrailv2/home?region=${AWS_REGION}#/events?"
If we just use a link to the CloudTrail Console then we've helped people get to the right destination but there's more we can do filter down the noise.
When we're assuming Roles from CI it's a great idea to build a Role Session Name that identifies this CI Run, you can then correlate actions taken.
In Github Actions we can take some information from the Github Context to build Role Session Name
AWS constrains the maximum length of a ROLE_SESSION_NAME
to 64 characters. So
we must truncate our length here, we chop off the end of our SHA. This should
be acceptable, and provide enough fidelity.
github_role_session_name.sh
SHA=${PR_HEAD_SHA:-${GITHUB_SHA}}
ROLE_SESSION_NAME="${GITHUB_RUN_ID}.${GITHUB_RUN_ATTEMPT}+${SHA}"
echo "value=${ROLE_SESSION_NAME:0:64}" >> "${GITHUB_OUTPUT}"
- name: Role Session Name
id: role-session-name
env:
GH_TOKEN: ${{ inputs.github-token }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
shell: bash
run: github_role_session_name.sh
to scope CloudTrail Events
CLOUDTRAIL_CONSOLE_URL="https://${AWS_REGION}.console.aws.amazon.com/cloudtrailv2/home?region=${AWS_REGION}#/events?Username=${ROLE_SESSION_NAME}"
AWS_IDENTITY_CENTRE_SUBDOMAIN="YOUR_SUBDOMAIN"
AWS_IDENTITY_CENTRE_BASE_URL="https://${SUBDOMAIN}.awsapps.com/start/#/console?"
CONSOLE_URL=$(urlencode "${CLOUDTRAIL_CONSOLE_URL}")
LINK_URL="${AWS_IDENTITY_CENTRE_BASE_URL}&account_id=${AWS_ACCOUNT_ID}&destination=${CONSOLE_URL}"
This small improvement can have a big impact on how integrated your developers feel about AWS and Github Actions.
An of course this technique can be expanded further by generate links to other Resources some ideas:
- S3 Buckets
- CloudWatch Log Groups
- ECS Deployments
- CloudFormation Resources