Here at Lincoln Loop we manage many clients, most of whom are following AWS best practices of isolating AWS accounts for different environments such as dev, staging and production. Some even have several different accounts for different teams also broken out to dev, staging and prod . This means on a given day we switch AWS Profiles a lot. Managing credentials manually, or worse, relying on clunky CLI profile switching, can quickly become tedious, error-prone, and very frustrating.
To mitigate this, we use granted to streamline how we assume roles across different AWS accounts, and it has significantly improved our daily workflows.
What is granted?
granted is an open-source CLI tool developed by Common Fate. It’s designed to make assuming AWS IAM roles simple, fast, and secure. This is especially important when you are juggling access to multiple AWS accounts and environments.
Key features we love:
- Single command to assume roles across different profiles and accounts.
- Browser-based SSO login when needed (works seamlessly with AWS SSO or IAM Identity Center).
- Temporary credential management handled automatically.
- Support for multiple credential sources (SSO, IAM roles, federated login, etc).
- Session expiration notifications to avoid those “permission denied” surprises.
- Isolated browser environments via extensions for Firefox and Chrome (and all Chromium based browsers)
Our Challenge: Managing Many AWS Accounts
Before adopting granted, our options looked something like:
- Manually updating
~/.aws/credentialsand~/.aws/config - Using custom scripts to manage temporary tokens
- Switching AWS CLI profiles and environment variables constantly
- Re-authenticating frequently with AWS SSO CLI commands
- Dealing with expired sessions at the worst possible times
When you work across five, ten, or even more accounts in a single day, it adds up fast.
We needed something frictionless that gives us fast access, quick switches and minimal context loss.
How We Use granted
We set up granted alongside our existing AWS CLI configuration. Here’s what our typical setup looks like:
1. Install granted
You can install it with Homebrew on macOS:
brew install common-fate/granted/granted
Or by downloading a release from GitHub. Releases are available for OSX, Linux and Windows.
2. Configure Profiles
We keep our AWS profiles in ~/.aws/config, just like before. For example:
[profile dev-account]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = Developer
region = us-east-1
[profile prod-account]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 210987654321
sso_role_name = Admin
region = us-east-1
No need for a big shift if you already use AWS SSO!
3. Assume Roles with Ease
Instead of manually setting environment variables or running aws sso login for each account, we just:
assume dev-account
or
assume prod-account
Under the hood, granted automatically refreshes credentials if needed, assumes the role, and exports environment variables. You can even spawn new shell sessions already authenticated to the right account which is perfect for keeping dev, staging, and production environments isolated.
Want a new terminal window automatically set to the right account? You can even alias it:
assume dev-account --exec zsh
4. Open the AWS Console Directly
Granted can also do a couple other neat tricks including opening the AWS Console in the browser of your choice. This works via a Firefox Add-on or a Chrome Extension, which works in all Chromium based browsers, including Microsoft Edge. Being able to open different accounts in different tabs is a lifesaver if you do a lot of interacting with the Console.
assume dev-account -c [or --console]
Or even directly to a service, RDS for instance:
assume dev-account -s rds
Why We Recommend It
- Faster switching between accounts
- Fewer login prompts throughout the day
- Better isolation between environments (dev vs staging vs prod)
- More security as granted sessions expire cleanly instead of hanging around forever
- Works with existing AWS SSO setup with minimal configuration changes
Overall, granted has been a low-overhead way for our team to stay productive without sacrificing security and better adhering to best practices.
Wrapping Up
If your team works across multiple AWS accounts, whether for clients, internal projects, or separate environments we highly recommend checking out granted.
It’s easy to adopt, easy to use, and will save you hours of annoying session management every month.
