2.0.1

A couple of quick bug fixes

Fix a behavior introduced in aws sdk v1.22.0

If you set session.Options.Profile after 1.22.0 it will override the credential chain
behavior and only look for credentials of the specified profile, ignoring whatever
credentials may be provided via environment variables.  So now we only set session.Options.Profile
if we're using a profile other then "default".

Update Keycloak SAML client for KC 8+

Keycloak 8 changed the name of the MFA/OTP input field from "totp"
to "otp".  Update the code to handle both cases.  Also add a few
more debug log statements around the SAML actions in main.go

2.0.0

aws-runas 2.0.0 is now generally available! The major emphasis of this release was enabling AWS assume role functionality with SAML identities (using AssumeRoleWithSaml), in addition to maintaining assume role functionality with IAM users (as is tradition); and ensuring feature parity was maintained across the different assume role functionality (including a completely refactored EC2 metadata service).

Be aware that there are breaking changes between the 1.x and 2.x releases!

• For IAM profiles, the long form of the -M command line option is now --mfa-serial instead of --mfa-arn to be more consistent with the config file attribute name.
• A new credential cache file format is now used to provide a single code base to manage IAM and SAML role credentials. (This may require you to manually clean any cached files in your .aws directory if you're seeing odd behavior after upgrading to 2.x)

Other new features in the 2.0 release:

• SAML support for Forgerock, Keycloak, and OneLogin identity providers. Other providers can be requested by opening a github issue, and are worked on a best-effort basis. If you feel up to tackling the code yourself, merge requests are always appreciated!
• Environment variables can now be used in place of many of the command line options. See the Environment Variables section of the Program Usage docs
• You can use aws-runas as the command to execute when using the credential_process feature of the .aws/config file. To do this you will need to run the command using the -O json command line parameter to output the credentials in json format.
• Add the --whoami command line flag to print out the identity information retrieved for the profile used when executing the command. This is a shortcut for the typical troubleshooting step of running aws-runas my-profile aws sts get-caller-identity
• Add the password sub-command so that SAML profile passwords can be stored in an obfuscated form in the .aws/credentials file. SAML passwords can still be provided via environment variables or the command line flag, however these are less secure since they use the clear text value of the password.

Full documentation, including all of the new 2.x features can be found at the doc site

Add support for outputting credentials in json format

Credentials can now be presented as either a set of export statements for environment variables, or as a json object compatible with the format needed for the aws sdk credential_process attribute in the config file.

By default, to preserve behavior, the credentials will still be output as a series of environment variable setting statements. To get the json formatted credentials, use the -O json option for aws-runas.

Fixes #44

1.5.0

Add support for SSM shell and port-forwarding sessions. See the documentation for more info on setting up this feature

Add additional build flags to reduce size of the compiled executable

1.4.2

Correct an issue where the program would exit with an error if the config file could not be found when using a role ARN instead of a profile name

1.3.7

Correct an issue where the program would exit with an error if the config file could not be found when using a role ARN instead of a profile name

1.4.1

correctly handle credentials_duration attribute in default section

Allow the credentials_duration attribute in the default section without
a corresponding role_arn attribute.

1.3.6

correctly handle credentials_duration attribute in default section

Allow the credentials_duration attribute in the default section without
a corresponding role_arn attribute.

1.4.0

• Allow for auto-refresh of role credentials when wrapping a command

Instead of passing role credentials as environment variables to called programs,
start an HTTP server which mimics the ECS credential endpoint, and modify the
environment such that the called command will reference the endpoint for credentials.
This should allow the command to automatically refresh the role credentials while the
process executes, for as long as the session token credentials are valid.

• add -E flag to preserve env var credential behavior

• Set environment varariable to pass profile name to called program

Expose the profile name, if it doesn't look like a role ARN, as the environment variable
AWSRUNAS_PROFILE, so downstream programs can still get access to the profile name
using a variable which won't collide with the AWS SDK operation.

• Change MFA code prompt to use stderr, update aws sdk version

• generate/distribute only signed Windows executable

• create .deb and .rpm packages for linux

1.3.5

Expose the profile name, if it doesn't look like a role ARN, as the env var AWSRUNAS_PROFILE,
so downstream programs can still get access to the profile name using a variable which won't
collide with the AWS SDK operation.