99designs/aws-vault v7.0.0

on GitHub

Added

• Handle [sso-session] section by @dima-vm in #1088
• Add support for credential_process by @jmczerk in #1087
  #1122
• Add mfa_process config by @mtibben in #1123
• Support aws-cli's AWS_CREDENTIAL_EXPIRATION by @mtibben in #1124
• Add aws-vault export cmd by @mtibben in #1135 #1146
• Allow login with master creds in environment by @mtibben in #1150
• Support login from profile with credential_process by @christophgysin in #1168

Changed

• Simplify creation of temporary creds by @mtibben in #1120
• Update Documentation to reflect new Multi-MFA per IAM User functionality on AWS. by @LouisTsiattalou in
  #1101
• Remove support for parent_profile, deprecated in v5 by @mtibben in #1131
• When using a subshell, add some help messages to minimise confusion and improve DX by @mtibben in #1136
• Disable subshell help messages with AWS_VAULT_DISABLE_HELP_MESSAGE=1 by @mtibben in #1165
• Make --ecs-server the default server implementation by @mtibben in #1137
• Automatically select the best prompt driver by @mtibben in #1138
• Remove use of old env vars by @mtibben in #1143 #1147
• Fix prompts required in non-tty processes by @mtibben in #1149
• Use go 1.20 by @mtibben in #1158
• Support execve syscall on all OSs that can by @mtibben in #1166
• Shut down ec2 proxy automatically by @mtibben in #1167
• Validate that configs don't have more than one source by @mtibben in #1171

Backwards-compatibility breaks

• --prompt=passotp is no longer supported. Instead, use mfa_process = pass otp my_aws_mfa in your config file
• parent_profile in the aws config file is no longer supported. Use include_profile instead
• --server now executes a ECS metadata server instead of a EC2 metadata server. To continue using the EC2 metadata server, use --ec2-server instead. Use aws-vault proxy --stop if you need to stop processes from old aws-vault versions
• When using aws-vault exec the following old env vars are no longer set. If you use any of these env vars, use the more standard alternative
  • AWS_SECURITY_TOKEN (use AWS_SESSION_TOKEN instead)
  • AWS_SESSION_EXPIRATION (use AWS_CREDENTIAL_EXPIRATION instead)
• aws-vault exec --json flag is deprecated and will be removed in a future release. Use aws-vault export --format=json instead.
• Ambiguous profile configs that specify multiple credential sources are no longer allowed
• If you use a profile config that uses a self-referential credential_process, you will end up with an infinite loop as v7 now recognises credential_process as a valid credential source. The solution is to create a new profile for the credentials. For example:

  [profile admin]
  credential_process = aws-vault exec -j admin

  should instead become

  [profile admin]
  
  [profile admin-session]
  credential_process = aws-vault exec -j admin

New Contributors

• @dima-vm made their first contribution in #1088
• @LouisTsiattalou made their first contribution in #1101
• @jmczerk made their first contribution in #1087
• @christophgysin made their first contribution in #1168

Full Changelog: v6.6.2...v7.0.0