> AWS. ... apparently you need a chrome extension which adds a bunch of complicated options I don’t really understand just to be able to change roles
I strongly agree with the rest of your characterization of the AWS console, but that one isn't true: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_us... -- we use IAM Roles extensively at $DAYJOB and have not yet experienced anything that would require a Chrome extension to work around like you describe
Their login screen, however, continues to drive everyone crazy since the URL you visit depends greatly on which account, and at what level, you wish to authenticate to the console. With any setup containing a non-trivial number of AWS accounts, it's just "oh, what account am I logged into" waiting to happen
The AWS web UI shows an MRU (most recently used) list of the last 5 roles only. So if my job calls for me to switch between multiple accounts (7 accounts in my case), and I can't have all 7 in my history. There is a Chrome extension that extends that MRU list. See https://chrome.google.com/webstore/detail/aws-extend-switch-...
I would disagree regarding AWS IAM roles. You can't live without "AWS Extended Switch Roles"[1] if you have more of them. What AWS provides by default is quite a joke.
My personal issue right now is that I have multiple accounts with MFA and there’s no easy way to differentiate them besides this generated account ID in the auth app. This means I have to create some type of mapping table between the ID and the account, or try to remember what’s available
We have a very funny situation in our org, where AWS auth is setup using our MS domain, with app push-based MFA. However, the AWS MFA workflow seems to not know about push based notifications, so it asks for a verification code which can literally be anything. After you provide some code and click Verify, only then does it send the push notification, and the UI just freezes until you either accept the auth request or some timeout happens.
Not to mention, we actually have to provide the Domain password in the AWS UI, which seems to go against any kind of security I know...
If you already have an MS domain you could set up SAML login with ADFS (tried this, works fairly well) or AWS SSO if you have a managed AD in AWS (may not be available in your region). Also works very well with AzureAD as the provider, if you use that synced to your on-prem AD.
Every MFA app I've used has the ability to rename the entry, since the MFA key and the text that are displayed to the user are 100% unrelated to one another. And I recognize that you might not have the correct privilege level to carry it out, but AWS does allow you to create account aliases, which helpfully shows up in the console login URL
I strongly agree with the rest of your characterization of the AWS console, but that one isn't true: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_us... -- we use IAM Roles extensively at $DAYJOB and have not yet experienced anything that would require a Chrome extension to work around like you describe
Their login screen, however, continues to drive everyone crazy since the URL you visit depends greatly on which account, and at what level, you wish to authenticate to the console. With any setup containing a non-trivial number of AWS accounts, it's just "oh, what account am I logged into" waiting to happen