ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page
  • Sync Accounts from AWS Organizations
  • Sync Accounts from SWAG
  • Sync Accounts from Configuration
  • Fallback: Sync the Current Account

Was this helpful?

  1. Configuration

Account Syncing

PreviousCustom Authorization (Internal Plugin)NextMetrics

Last updated 3 years ago

Was this helpful?

ConsoleMe will use the AWS credentials you provide to sync your accounts. We currently support syncing accounts from AWS Organizations, , local Configuration, and if none of these is configured, ConsoleMe will attempt to Sync the current account.

Sync Accounts from AWS Organizations

ConsoleMe can sync accounts from your AWS Organizations master account. To configure this option, you must have a role on your AWS Organization master account that ConsoleMe can assume with sts:AssumeRole.

To configure this option, the following configuration values should be set in your ConsoleMe yaml configuration file:

cache_accounts_from_aws_organizations:
  # This is a list of the account IDs of your AWS organizations master(s)
  - organizations_master_account_id: "123456789012"
    # This is the name of the role that consoleme will attempt to assume on
    # your Organizations master account to call organizations:listaccounts.
    organizations_master_role_to_assume: "ConsoleMe"

Sync Accounts from SWAG

ConsoleMe can sync your organization's accounts from 's API url. If you're storing 3rd party accounts in SWAG that you do not wish for ConsoleMe to sync, you can use the expected_owners configuration to sync only the desired accounts.

ConsoleMe needs the following configuration values to sync accounts from SWAG:

retrieve_accounts_from_swag:
  base_url: 'https://swag.example.com/'
  # Optional
  expected_owners:
    - exampleOrg

Sync Accounts from Configuration

Account IDs should be quoted in YAML so that they are interpreted as strings. Account IDs can start with the number 0, and the first number would be dropped if interpreted as an integer.

Here is the required configuration:

account_ids_to_name:
  "123456789012":
    - default_account
  "123456789013":
    - prod
  "123456789014":
    - test

Fallback: Sync the Current Account

As a fallback mechanism, ConsoleMe will attempt to sync the current account using sts:getCallerIdentity and iam:listAccountAliases. ConsoleMe attempts to do this during initial installation if no other configuration has been provided.

You can also optionally provide configuration that explicitly provides ConsoleMe with a mapping of your account IDs to account names. You can provide this list either in your local configuration, or (as an administrator) your dynamic configuration at .

SWAG
SWAG
https://your_consoleme_url/config