Skip to content

2.0.0
Compare
Choose a tag to compare
@mmmorris1975 mmmorris1975 released this 14 Mar 05:01
· 280 commits to master since this release
2.0.0
cc58c74

aws-runas 2.0.0 is now generally available! The major emphasis of this release was enabling AWS assume role functionality with SAML identities (using AssumeRoleWithSaml), in addition to maintaining assume role functionality with IAM users (as is tradition); and ensuring feature parity was maintained across the different assume role functionality (including a completely refactored EC2 metadata service).

Be aware that there are breaking changes between the 1.x and 2.x releases!

  • For IAM profiles, the long form of the -M command line option is now --mfa-serial instead of --mfa-arn to be more consistent with the config file attribute name.
  • A new credential cache file format is now used to provide a single code base to manage IAM and SAML role credentials. (This may require you to manually clean any cached files in your .aws directory if you're seeing odd behavior after upgrading to 2.x)

Other new features in the 2.0 release:

  • SAML support for Forgerock, Keycloak, and OneLogin identity providers. Other providers can be requested by opening a github issue, and are worked on a best-effort basis. If you feel up to tackling the code yourself, merge requests are always appreciated!
  • Environment variables can now be used in place of many of the command line options. See the Environment Variables section of the Program Usage docs
  • You can use aws-runas as the command to execute when using the credential_process feature of the .aws/config file. To do this you will need to run the command using the -O json command line parameter to output the credentials in json format.
  • Add the --whoami command line flag to print out the identity information retrieved for the profile used when executing the command. This is a shortcut for the typical troubleshooting step of running aws-runas my-profile aws sts get-caller-identity
  • Add the password sub-command so that SAML profile passwords can be stored in an obfuscated form in the .aws/credentials file. SAML passwords can still be provided via environment variables or the command line flag, however these are less secure since they use the clear text value of the password.

Full documentation, including all of the new 2.x features can be found at the doc site

Assets 7
Loading