Automatic config file population
This release adds support for automatically populating ~/.aws/config with available roles from AWS SSO (#230). Thanks to @misterjoshua for contributing support for this! We'd love to hear your feedback on how Granted can make your AWS config file easier to manage on this discussion: #249.
credential_process support
This release adds support for using Granted as a credential_process provider in your AWS config (#257). This allows Granted to work with the --profile flag in the AWS CLI. You can set up profiles as follows:
[profile my-profile]
region = ap-southeast-2
granted_sso_account_id = 123456789012
granted_sso_region = ap-southeast-2
granted_sso_role_name = MyRoleName
granted_sso_start_url = https://example.awsapps.com/start
credential_process = granted credential-process --profile my-profile
and then run
aws sts get-caller-identity --profile my-profile
and Granted keychain storage will be used to load the SSO token. This eliminates the need to authenticate with AWS SSO a second time when running commands which use the --profile flag.
Access request integration
If you're using the Granted CLI with Granted Approvals, running granted settings request-url set will set a request URL. You'll be prompted to request access to roles if Granted receives a ForbiddenException error when trying to assume them.
❯ aws sts get-caller-identity --profile needs-requesting
Error when retrieving credentials from custom-process: error: operation error SSO: GetRoleCredentials, https response error StatusCode: 403, RequestID: 88c940dd-9f53-4bdf-a49c-f6f6f6f2b50d, api error ForbiddenException: No access
You need to request access to this role:
https://example.com/access?type=commonfate%2Faws-sso&permissionSetArn.label=MyRole&accountId=123456789012
New service shortcuts
Running assume -s ce will open a console to Cost Explorer (#258). Thanks for the contribution @mjulian!
UX improvements
We now support automatically re-assuming roles for ZSH (#228). Thanks to @sosheskaz for the contribution! To enable this, set GRANTED_ENABLE_AUTO_REASSUME=true in your .zshrc. We're working on further improving this for other shells using the AWS credential_process's built in refreshing functionality in #263.
Our session credential duration is now displayed in a far more readable format too (#259). Thanks to @alexjurkiewicz for the contribution!
[demo-sandbox1](ap-southeast-2) session credentials will expire in 1 hour
Bug fixes
We fixed a regression which caused assume to not print any output on headless Linux machines (#260) - thanks to @QuinnyPig for helping to diagnose the specific commit which caused this! We've added additional testing to our CI to prevent this happening in future (#265).
We also fixed an issue where the browser launched by Granted would be closed if you pressed Control+C in the terminal which originally opened the browser (#252).
What's Changed
- Add granted sso populate/generate commands by @misterjoshua in #230
- Fix sso flag, prevent aws profile export by @JoshuaWilkes in #245
- fixed error checks by @meyerjrr in #251
- Add a shortcut for Cost Explorer by @mjulian in #258
- feat: Display credential duration in human-readable form by @alexjurkiewicz in #259
- refactor browser launching logic and use better process forking by @chrnorm in #252
- Add automatic reassume functionality for zsh by @sosheskaz in #228
- Add credential_process support, including the ability to request access to roles if CLI is used with Granted Approvals by @jordiup in #257
- fix assume script not printing output properly on linux by @chrnorm in #260
- Add shellcheck to CI pipeline by @chrnorm in #265
- Fix missing command by @JoshuaWilkes in #266
New Contributors
- @misterjoshua made their first contribution in #230
- @mjulian made their first contribution in #258
Full Changelog: v0.2.9...v0.3.0