- Very minor update to address development dependency security issue (CVE-2020-8130 for Rake).
- Version now can be printed by supplying --version.
- The gem now uses Optimist, and as such should no longer give deprecation warnings for its previous name. #21
- Corrected an issue with session ID generation when the calculated new long-from session ID exceeded 64 characters. In this situation, the session name will fall back to the classic generic timestamped ID. #17
- When calling from an assumed role, the session ID now takes on the name of the access key ID instead of the account ID and user name. This should help prevent length or session name nesting issues, while still making the session name useful. #17
- The access key ID-based session ID will also be used if the account and user-based session ID would exceed 64 characters under normal circumstances, ensuring that the classic ID is strictly a fallback in major edge cases where either is unusable or if the user has no access to GetCallerIdentity. #17
This update brings the --duration flag, which allows you to control the
session duration for both session tokens and assumed roles. Note that the
maximum depends on what kind of user you are using (IAM versus root account),
whether or not you are assuming a role or not, and the maximum duration set on
any role that you are assuming. aws-runas may silently truncate the maximum if
you request it too high, although your session will be rejected when assuming a
role. For more details, see GetSesionToken and
AssumeRole for more details.
Thanks to the work done in #16 for this!
Some issues were discovered where the zsh prompt support was not functioning correctly when using shell functions. Colors were not rendering properly as well. Thanks to the work in #14 for the fix on this!
aws-runas will now expose the IAM user's identity information (account ID/user
name) and enter it in the session ID, when available. The new format is
aws-runas-session_ACCTID_USERNAME_TIMESTAMP when the user has access to
GetCallerIdentity, and the old
aws-runas-session_TIMESTAMP format when they do not.
Thanks to the work done in #11 for this!
zsh is now supported for the fancy prompt. When using the shell, your
existing profile data from .zshrc will be copied over into the temporary
configuration.
2 additional functions are available for bash and zsh as well:
aws_session_expired, which readsAWS_SESSION_EXPIRATION_UNIX(see below) and compares this with the current Unix timestamp supplied bydate. It returns 0 on true and 1 on false, which can be used semantically in shell scripts.aws_session_status_color, which works off ofaws_session_expiredto render an ANSI numeric color code - red whenaws_session_expiredistrue, yellow otherwise.
The prompts for bash and zsh now work off of these functions to render the
right color. The prompt will go red when the session has expired.
The default interactive prompt that you get when you run aws-runas with no
command supplied can now by skipped by adding --skip-prompt to the CLI
arguments. The profile functions mentioned above are still passed in. This
allows you to leverage their functionality inside your own scripts and custom
prompts if you want in other ways.
Several environment variables have been added for more quality-of-life when working in the shell or aware tools:
AWS_REGIONandAWS_DEFAULT_REGION, which pass through the region configured in the profile, if presentAWS_SESSION_EXPIRATIONandAWS_SESSION_EXPIRATION_UNIXto supply the session expiration time, in both human and UNIX timestamps, respectively named.
The role that aws-runas assumed and the profile it used are now exposed as
AWS_RUNAS_ASSUMED_ROLE_ARN and AWS_RUNAS_PROFILE, respectively. These can be
used in scripts to track the profile being used or the role ARN used, in case
this data is needed later, or for troubleshooting purposes.
Fixed the escape sequence in the bash shell prompt indicator so that it has the
\[ and \] enclosures - this fixes issues that the prompt was having with
line wrapping.
- Dropping support for Ruby 2.1. You will need at least Ruby 2.2.6 to be using this gem now. If you have a version below this, please use a v0.3.x version.
- MFA entry is no longer hidden from the terminal - you will see the digits you enter now.
- Added a special indicator to
bashprompts when running interactively. This prompt displays your running profile, like so:(AWS:default). When running via --no-role, the indicator is just(AWS). This should help to distinguish any AWS shells you may be running from regular ones.
This update sets AWS_SDK_CONFIG_OPT_OUT before the aws-sdk Ruby gem is
loaded to start assuming roles, to disable newer AWS Ruby SDK functionality that
allows the assumption of roles from ~/.aws/config directly through the
toolchain. This conflicts with aws-runas's own config file handling and breaks
in scenarios where one may want a default ~/.aws/config file but no
credentials (ie: instance profiles).
Add session only features:
- Add the
--no-rolecommand to load a profile and just get a session token, instead of assuming a role. - Changed default behaviour so that if
AWS_SESSION_TOKENexists, no MFA is loaded - this allows the assumption of multiple roles from within the same session. --no-rolewill fail if a MFA serial is not present (it's pretty much useless - you will just be getting a session for the same access key/secret key with the same level of privilege that you did before).
$SHELLis now supported - if this environment variable exists, the shell in it will be launched.- Windows support:
cmd.exeis set as the default shell on non-Cygwin Windows systems.- Fixes to support mingw32 such as IO flushing and detection of a lack of
noechosupport.
- Fixed #3 (better handling of invalid profile name).
- Added guard for invalid file as well.
- Fixed #1 and #2 (default credentials fallback bug and overzealous version restrictions).