Releases: mmmorris1975/aws-runas
v3.6.0
New browser experience provider for browser based authentication. (#121)
- Added a new Browser experience (browserne) that uses the clients default browser and SSO instead of running an alternate browser with Chromedp in debug mode to steal the SAMLResponse. This new way is cleaner but, does require changes to the config since aws-runas will be creating the SAMLRequest itself. This method also has the SAMLResponse delivered to a localhost:port/saml/acs address. This causes the normal saml:aud check that most have in the SSO integration to require updates to the trust policy to allow for this new Recipient - http://localhost:*/saml/acs
Also a new required parameter or command line flag to specify the EntityId for the SAML Idp. In the case of EntraID this differentiates multiple applications from each other.
-
Added a command line flag for the EntityID configuration
-
Updated the config document to include the new browserne provider
Fix SAML response parsing for browser client
Some identity providers send extra attributes along with the SAMLResponse, which was causing the client to fail to find the necessary SAML assertion to provide to AWS. This release changes the parsing of that data so that we reliably find the SAML assertion when other attributes are passed in the response.
Fixes #103
3.5.1
Rewrite browser auth provider to use the chromedp browser events. This allows for the capture of the SAMLResponse event when a page isn't rendered to an HTML response code of 200. Single role/account users will get a SAMLResponse in a 302 that redirects to the AWS console. This corrects that and allows for both multi account/role and single account/role users to be able to work with the provider.
3.5.0 Add browser-based SAML client
Allow aws-runas to spawn an external browser (Chrome/Edge) that can be used to navigate an authentication session and return a SAMLResponse back to aws-runas for use in retrieving credentials
3.4.0: Upgrade ssm-session-client (#86)
- Migrate to latest ssm-session-client to get direct integration with AWS-managed SSM session client codebase. This will give us the full functionality of the AWS-provided ssm session plugin, without needing to install the 3rd party binary. Some benefits are stable SSH connections over SSM, and support for all port forwarding features of the AWS code (port multiplexing, etc...)
- Ensure valid credentials before any SSM action to fix an annoying behavior where ssm actions will fail unless valid, cached credentials already exist.
- Update circle ci orbs and golang version, also update go module versions to stay up to date.
Fix ECR login for registries not in profile region
The ecr login command was failing to authenticate to registries which weren't in the region specified in the profile (profile says us-east-1, registry is in us-west-2). Explicitly set the region when calling GetAuthorizationToken to the region specified in the ECR registry URL.
Fixes #81
Correct credential caching issue with metadata credential service
3.3.1 Fix handling of role ARN parameter when using external IdP
When using a role ARN instead of a named profile, and having the external IdP configuration in the default profile, the IdP configuration was not loaded because a profile could not be loaded from the config file. This has been fixed
Fixes #73
Integrate EC2 Instance Connect with SSM SSH functionality
Integrate EC2 instance connect with the ssm ssh functionality (#71). This allows the public key for the session to be provisioned on the instance during the setup of the SSH session instead of requiring pre-existing SSH keys on the instance.
- Update dependencies and use go 1.17
- Fix error when launching ssm plugin
- Update ssm-session-client for bug fix with DNS target resolution
3.2.0: Add Duo MFA to Okta IdP client
Add Duo MFA to Okta IdP client (#68)
Update SSM client library for fix to terminal resizing
Update versions for dependencies