Possible to show account aliases with role ARNs?

[max-rocket-internet]

Currently it looks like this when we have to choose which account role to assume:

$ aws-google-auth --idp-id xxxxxxx --sp-id 6666666 --username user.name@domain.com --duration 43200 --ask-role
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ...
[  1] arn:aws:iam::111111:role/sso/sso-administrator
[  2] arn:aws:iam::22222:role/sso/sso-administrator
[  3] arn:aws:iam::333333:role/sso/sso-administrator
[  4] arn:aws:iam::44444:role/sso/sso-administrator
Type the number (1 - 4) of the role to assume: 4
Assuming arn:aws:iam::4444444:role/sso/sso-administrator
Credentials Expiration: 2018-08-02 19:19:07+02:00

Problem is that these ARNs are not very informative as one would have to remember the AWS account number.

Is it possible to show the account alias?

When you do Google SSO auth (using SAML) to the AWS console, it shows the account aliases like this:

Account: my-account-1 (1111111)
Account: my-account-2 (22222)
etc

[stevemac007]

I believe the --resolve-aliases parameter is what you want - the actual alias's are not in the SAML payload, and so using this flag actually assumes each role and loads the account alias from that role.

Hopefully this gives you what you need.

[max-rocket-internet]

Yes! Amazing. Sorry, I didn't see that option. Thanks.