This repository has been archived by the owner. It is now read-only.
Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Jump! Jump!


kriskross can start an AWS console on your own account, sub-accounts or third party accounts using cross account roles from the shell or a basic web service: no more struggling with your AWS console login / password!. It can read awscli profile and has MFA support. As a minimal web serverkriskross makes MFA copy & paste from your mobile device less prone to errors.
Learn about Cross-Account Access in this very well written article.

Hint: yes you can attach a cross account role to your own local account just by entering your own account id when creating the cross account role.


It uses an ~/.awsaccounts JSON file with the format:

    "target": {
        "account": "AWS account id",
        "role": "cross account access role name",
        "external-id": "optional external id for secure 3rd party access",
        "mfa": "optional MFA device serial number",
        "profile": "optional aws cli profile name for non-default direct access"

An example awsaccount file would be:

    "myownaccount": {
        "account": "636487856791",
        "role": "MFAAdmin",
        "mfa": "arn:aws:iam::225011332614:mfa/MySelf"
    "childaccount": {
        "account": "287487895991",
        "role": "ChildAdmin",
    "thirdpartyaccount": {
        "account": "981036328202",
        "role": "ThirdParty",
        "external-id": "123456789"
    "thirdpartyaccountwithMFA": {
        "account": "123036328892",
        "role": "ThirdParty",
        "external-id": "123456789"
        "mfa": "arn:aws:iam::225011332614:mfa/MySelf"
    "myotheraccount": {
        "profile": "othercompany",
        "account": "123468236778",
        "role": "MFAAdmin",
        "mfa": "arn:aws:iam::678067632434:mfa/MySelf"
  • The hash index is really a label, independent from your ~/.aws configuration.
  • account is the account number to build the role from.
  • role is the role name.
  • mfa is the MFA "serial device", actually the ARN as shown in the IAM console.
  • external-id is the arbitrary id you agreed to use with the third party.
  • profile is an AWS profile_name you would like to pivot from.
  • duration is the role session duration, in seconds. Default duration is 3600, max session is 12 hours.
  • private might be set to yes if you'd like to open the console on a browser private window (only Firefox or Chrome by now)
    • This feature relies on a BROWSER variable containing the executable name for your favorite web browser. Either add BROWSER=firefox; export BROWSER (or google-chrome) to your shell profile file, or prepend kriskross execution with the variable set.

A very simple, single account based file could be:

  "simpleaccount": {
    "account": "636487856791"
    "role": "myrole"

Assuming you created a role called myrole in your current account, with the same account id as the source account, yes, this works. This configuration relies on a ~/.aws/{credentials,config} with a default section and the corresponding aws_access_key_id / aws_secret_access_key pair.

There are many possible combinations:

  • Direct, own account access, by creating a cross account role with the local account id
  • Child account, by enabling cross account access
  • Third party account using an external id
  • Third party account using an external id and MFA
  • Direct account access using awscli profiles

All with or without MFA (while enabling MFA is highly recommended).

You may give an alternative path and name for the account properties file using the --awsaccounts= parameter.
If the role uses a MFA device, specify it with the --mfa parameter along with a mfa key associated with the target in the awsaccounts file which value is the MFA device serial number.


From the command line: <target> [--awsaccounts=<file> --mfa=<token>]

Start as a foreground local web service (Flask default port is 5000):

python -m flask run --host=

Or start it as a daemon with gunicorn (default port 8000):

gunicorn -D -b kriskross:app


This script is vaguely derived from AWS: and this botocore version: