az2aws 1.0.0

package/.claude/settings.local.json

@@ -0,0 +1,16 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(yarn test)",
+      "Bash(npm run test)",
+      "Bash(npm run build:*)",
+      "Bash(npm install)",
+      "Bash(npm cache clean:*)",
+      "Bash(npm install:*)",
+      "Bash(yarn install)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:patch-diff.githubusercontent.com)",
+      "Bash(ls:*)"
+    ]
+  }
+}

package/CONTRIBUTING.md

@@ -0,0 +1,54 @@
+# Contributing
+
+## Get started
+
+This project is written in TypeScript and is using prettier and eslint for code formatting. You need node v22.
+
+1. Install node v22. I recommend installing that with nvm: https://github.com/nvm-sh/nvm
+
+```sh
+nvm install 22
+```
+
+2. Make node v22 default
+
+```sh
+nvm alias default 22
+```
+
+3. Open a new terminal and verify node version (should return v22.X.X)
+
+```sh
+node -v
+```
+
+4. Install yarn
+
+```sh
+npm install -g yarn
+```
+
+5. Fork and clone project
+
+```sh
+git clone git@github.com:<GITHUB_USERNAME>/az2aws.git
+cd az2aws
+```
+
+6. Install dependencies
+
+```sh
+yarn install
+```
+
+7a. Start dev mode
+
+```sh
+yarn start
+```
+
+7b. Start prod mode
+
+```sh
+yarn build && node ./lib/index.js
+```

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 az2aws devs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,250 @@
+[![view on npm](http://img.shields.io/npm/v/az2aws.svg)](https://www.npmjs.org/package/az2aws)
+[![npm module downloads per month](http://img.shields.io/npm/dm/az2aws.svg)](https://www.npmjs.org/package/az2aws)
+
+# az2aws
+
+If your organization uses [Azure Active Directory](https://azure.microsoft.com) to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the [AWS CLI](https://aws.amazon.com/cli/). This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
+
+## Installation
+
+Installation can be done in any of the following platform - Windows, Linux, Docker, Snap
+
+### Windows
+
+Install [Node.js](https://nodejs.org/) v22 or higher. Then install az2aws with npm:
+
+    npm install -g az2aws
+
+You may need to install puppeteer dependency, if you're getting missing chrome or chromium message
+
+    node <node_modules_dir>/az2aws/node_modules/puppeteer/install.js
+
+### Linux
+
+In Linux you can either install for all users or just the current user. In either case, you must first install [Node.js](https://nodejs.org/) v22 or higher and any [puppeteer dependencies](https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#chrome-headless-doesnt-launch). Then follow the appropriate instructions.
+
+#### Option A: Install for All Users
+
+Install az2aws globally with npm:
+
+    sudo npm install -g az2aws --unsafe-perm
+
+Puppeteer doesn't install globally with execution permissions for all users so you'll need to modify them:
+
+    sudo chmod -R go+rx $(npm root -g)
+
+#### Option B: Install Only for Current User
+
+First configure npm to install global packages in [your home directory](https://docs.npmjs.com/getting-started/fixing-npm-permissions):
+
+    mkdir ~/.npm-global
+    npm config set prefix '~/.npm-global'
+    export PATH=~/.npm-global/bin:$PATH
+    source ~/.profile
+    echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.profile
+    source ~/.profile
+
+Then install az2aws:
+
+    npm install -g az2aws
+
+### Docker
+
+A Docker image has been built with az2aws preinstalled. You simply need to run the command with a volume mounted to your AWS configuration directory.
+
+    docker run --rm -it -v ~/.aws:/root/.aws az2aws/az2aws
+
+The Docker image is configured with an entrypoint so you can just feed any arguments in at the end.
+
+You can also put the docker-launch.sh script into your bin directory for the az2aws command to function as usual:
+
+    # Download the script (replace VERSION with a specific release tag, e.g., v1.0.0)
+    curl -o /tmp/az2aws https://raw.githubusercontent.com/az2aws/az2aws/VERSION/docker-launch.sh -L
+
+    # IMPORTANT: Review the script before installing
+    cat /tmp/az2aws
+
+    # Install after verification
+    sudo mv /tmp/az2aws /usr/local/bin/az2aws
+    sudo chmod +x /usr/local/bin/az2aws
+
+> **Security Note:** Always download from a specific release tag (not `main`) and review the script contents before installing. Downloading and executing scripts directly from mutable branch heads poses a supply chain risk.
+
+Now just run `az2aws`.
+
+### Snap
+
+https://snapcraft.io/az2aws
+
+## Usage
+
+### Configuration
+
+#### AWS
+
+To configure the az2aws client run:
+
+    az2aws --configure
+
+You'll need your [Azure Tenant ID and the App ID URI](#getting-your-tenant-id-and-app-id-uri). To configure a named profile, use the --profile flag.
+
+    az2aws --configure --profile foo
+
+##### GovCloud Support
+
+To use az2aws with AWS GovCloud, set the `region` profile property in your ~/.aws/config to the one of the GovCloud regions:
+
+- us-gov-west-1
+- us-gov-east-1
+
+##### China Region Support
+
+To use az2aws with AWS China Cloud, set the `region` profile property in your ~/.aws/config to the China region:
+
+- cn-north-1
+
+#### Staying logged in, skip username/password for future logins
+
+During the configuration you can decide to stay logged in:
+
+    ? Stay logged in: skip authentication while refreshing aws credentials (true|false) (false)
+
+If you set this configuration to true, the usual authentication with username/password/MFA is skipped as it's using session cookies to remember your identity. This enables you to use `--no-prompt` without the need to store your password anywhere, it's an alternative for using environment variables as described below.
+As soon as you went through the full login procedure once, you can just use:
+
+    az2aws --no-prompt
+
+or
+
+    az2aws --profile foo --no-prompt
+
+to refresh your aws credentials.
+
+#### Environment Variables
+
+You can optionally store your responses as environment variables:
+
+- `AZURE_TENANT_ID`
+- `AZURE_APP_ID_URI`
+- `AZURE_DEFAULT_USERNAME`
+- `AZURE_DEFAULT_PASSWORD`
+- `AZURE_DEFAULT_ROLE_ARN`
+- `AZURE_DEFAULT_DURATION_HOURS`
+
+To avoid having to `<Enter>` through the prompts after setting these environment variables, use the `--no-prompt` option when running the command.
+
+    az2aws --no-prompt
+
+Use the `HISTCONTROL` environment variable to avoid storing the password in your bash history (notice the space at the beginning):
+
+    $ HISTCONTROL=ignoreboth
+    $  export AZURE_DEFAULT_PASSWORD=mypassword
+    $ az2aws
+
+#### Use an Existing Chrome Install and Profile
+
+Instead of using the bundled Chromium, you can use an existing Chrome installation with your own user profile by setting the following environment variables:
+
+- `BROWSER_CHROME_BIN` - Path to Chrome executable
+- `BROWSER_USER_DATA_DIR` - Chrome user data directory
+- `BROWSER_PROFILE_DIR` - Chrome profile name (e.g., "Default")
+
+Example (macOS):
+
+    export BROWSER_CHROME_BIN="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
+    export BROWSER_USER_DATA_DIR="/Users/<user>/Library/Application Support/Google/Chrome"
+    export BROWSER_PROFILE_DIR="Default"
+    aws-azure-login --mode gui --no-disable-extensions --no-sandbox
+
+Example (Linux):
+
+    export BROWSER_CHROME_BIN="/usr/bin/google-chrome"
+    export BROWSER_USER_DATA_DIR="/home/<user>/.config/google-chrome"
+    export BROWSER_PROFILE_DIR="Default"
+    aws-azure-login --mode gui --no-disable-extensions --no-sandbox
+
+Using Chrome instead of Chromium allows you to use browser extensions such as password managers.
+
+### Logging In
+
+Once az2aws is configured, you can log in. For the default profile, just run:
+
+    az2aws
+
+You will be prompted for your username and password. If MFA is required you'll also be prompted for a verification code or mobile device approval. To log in with a named profile:
+
+    az2aws --profile foo
+
+Alternatively, you can set the `AWS_PROFILE` environmental variable to the name of the profile just like the AWS CLI.
+
+Once you log in you can use the AWS CLI or SDKs as usual!
+
+If you are logging in on an operating system with a GUI, you can log in using the actual Azure web form instead of the CLI:
+
+    az2aws --mode gui
+
+Logging in with GUI mode is likely to be much more reliable.
+
+_Note:_ on virtual machines, or when rendering of the puppeteer UI fails, you might need to disable the GPU Hardware Acceleration:
+
+    az2aws --mode gui --disable-gpu
+
+_Note:_ on Linux you will likely need to disable the Puppeteer sandbox or Chrome will fail to launch:
+
+    az2aws --no-sandbox
+
+### Behind corporate proxy
+
+If behind corporate proxy, then just set https_proxy env variable.
+
+## Automation
+
+### Renew credentials for all configured profiles
+
+You can renew credentials for all configured profiles in one run. This is especially useful, if the maximum session length on AWS side is configured to a low value due to security constraints. Just run:
+
+    az2aws --all-profiles
+
+If you configure all profiles to stay logged in, you can easily skip the prompts:
+
+    az2aws --all-profiles --no-prompt
+
+This will allow you to automate the credentials refresh procedure, eg. by running a cronjob every 5 minutes.
+To skip unnecessary calls, the credentials are only getting refreshed if the time to expire is lower than 11 minutes.
+
+## Getting Your Tenant ID and App ID URI
+
+Your Azure AD system admin should be able to provide you with your Tenant ID and App ID URI. If you can't get it from them, you can scrape it from a login page from the myapps.microsoft.com page.
+
+1. Load the myapps.microsoft.com page.
+2. Click the chicklet for the login you want.
+3. In the window the pops open quickly copy the login.microsoftonline.com URL. (If you miss it just try again. You can also open the developer console with nagivation preservation to capture the URL.)
+4. The GUID right after login.microsoftonline.com/ is the tenant ID.
+5. Copy the SAMLRequest URL param.
+6. Paste it into a URL decoder ([like this one](https://www.samltool.com/url.php)) and decode.
+7. Paste the decoded output into the a SAML deflated and encoded XML decoder ([like this one](https://www.samltool.com/decode.php)).
+8. In the decoded XML output the value of the `Audience` tag is the App ID URI.
+9. You may double-check tenant ID using `Attribute` tag named `tenantid` provided in XML.
+
+## How It Works
+
+The Azure login page uses JavaScript, which requires a real web browser. To automate this from a command line, az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer), which automates a real Chromium browser. It loads the Azure login page behind the scenes, populates your username and password (and MFA token), parses the SAML assertion, uses the [AWS STS AssumeRoleWithSAML API](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials, and saves these in the CLI credentials file.
+
+## Troubleshooting
+
+The nature of browser automation with Puppeteer means the solution is bit brittle. A minor change on the Microsoft side could break the tool. If something isn't working, you can fall back to GUI mode (above). To debug an issue, you can run in debug mode (--mode debug) to see the GUI while az2aws tries to populate it. You can also have the tool print out more detail on what it is doing to try to do in order to diagnose. az2aws uses the [Node debug module](https://www.npmjs.com/package/debug) to print out debug info. Just set the DEBUG environmental variable to 'az2aws'. On Linux/OS X:
+
+    DEBUG=az2aws az2aws
+
+On Windows:
+
+    set DEBUG=az2aws
+    az2aws
+
+## Support for Other Authentication Providers
+
+Obviously, this tool only supports Azure AD as an identity provider. However, there is a lot of similarity with how other logins with other providers would work (especially if they are SAML providers). If you are interested in building support for a different provider let me know. It would be great to build a more generic AWS CLI login tool with plugins for the various providers.
+
+## Acknowledgements
+
+This project is forked from [aws-azure-login](https://github.com/aws-azure-login/aws-azure-login). Thanks to the original authors and contributors.

package/lib/CLIError.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CLIError = void 0;
+class CLIError extends Error {
+    constructor(message) {
+        super(message);
+        Error.captureStackTrace(this, this.constructor);
+        this.name = this.constructor.name;
+        this.message = message;
+    }
+}
+exports.CLIError = CLIError;

package/lib/awsConfig.js

@@ -0,0 +1,103 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsConfig = void 0;
+const ini_1 = __importDefault(require("ini"));
+const debug_1 = __importDefault(require("debug"));
+const paths_1 = require("./paths");
+const mkdirp_1 = __importDefault(require("mkdirp"));
+const fs_1 = __importDefault(require("fs"));
+const util_1 = __importDefault(require("util"));
+const debug = (0, debug_1.default)("az2aws");
+const writeFile = util_1.default.promisify(fs_1.default.writeFile);
+// Autorefresh credential time limit in milliseconds
+const refreshLimitInMs = 11 * 60 * 1000;
+exports.awsConfig = {
+    async setProfileConfigValuesAsync(profileName, values) {
+        const sectionName = profileName === "default" ? "default" : `profile ${profileName}`;
+        debug(`Setting config for profile '${profileName}' in section '${sectionName}'`);
+        const config = (await this._loadAsync("config")) || {};
+        config[sectionName] = {
+            ...config[sectionName],
+            ...values,
+        };
+        await this._saveAsync("config", config);
+    },
+    async getProfileConfigAsync(profileName) {
+        const sectionName = profileName === "default" ? "default" : `profile ${profileName}`;
+        debug(`Getting config for profile '${profileName}' in section '${sectionName}'`);
+        const config = await this._loadAsync("config");
+        if (!config) {
+            return undefined;
+        }
+        return config[sectionName];
+    },
+    async isProfileAboutToExpireAsync(profileName) {
+        debug(`Getting credentials for profile '${profileName}'`);
+        const config = await this._loadAsync("credentials");
+        let expirationDate;
+        if (!config ||
+            config[profileName] === undefined ||
+            config[profileName].aws_expiration === undefined) {
+            expirationDate = new Date();
+        }
+        else {
+            expirationDate = new Date(config[profileName].aws_expiration);
+        }
+        const timeDifference = expirationDate.getTime() - new Date().getTime();
+        debug(`Remaining time till credential expiration: ${timeDifference / 1000}s, refresh due if time lower than: ${refreshLimitInMs / 1000}s`);
+        return timeDifference < refreshLimitInMs;
+    },
+    async setProfileCredentialsAsync(profileName, values) {
+        const credentials = (await this._loadAsync("credentials")) || {};
+        debug(`Setting credentials for profile '${profileName}'`);
+        credentials[profileName] = values;
+        await this._saveAsync("credentials", credentials);
+    },
+    async getAllProfileNames() {
+        debug(`Getting all configured profiles from config.`);
+        const config = (await this._loadAsync("config")) || {};
+        const profiles = Object.keys(config).map(function (e) {
+            return e.replace("profile ", "");
+        });
+        debug(`Received profiles: ${profiles.toString()}`);
+        return profiles;
+    },
+    async _loadAsync(type) {
+        if (!paths_1.paths[type])
+            throw new Error(`Unknown config type: '${type}'`);
+        return new Promise((resolve, reject) => {
+            debug(`Loading '${type}' file at '${paths_1.paths[type]}'`);
+            fs_1.default.readFile(paths_1.paths[type], "utf8", (err, data) => {
+                if (err) {
+                    if (err.code === "ENOENT") {
+                        debug(`File not found. Returning undefined.`);
+                        return resolve(undefined);
+                    }
+                    else {
+                        return reject(err);
+                    }
+                }
+                debug("Parsing data");
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                const parsedIni = ini_1.default.parse(data);
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+                return resolve(parsedIni);
+            });
+        });
+    },
+    async _saveAsync(type, data) {
+        if (!paths_1.paths[type])
+            throw new Error(`Unknown config type: '${type}'`);
+        if (!data)
+            throw new Error(`You must provide data for saving.`);
+        debug(`Stringifying ${type} INI data`);
+        const text = ini_1.default.stringify(data);
+        debug(`Creating AWS config directory '${paths_1.paths.awsDir}' if not exists.`);
+        await (0, mkdirp_1.default)(paths_1.paths.awsDir);
+        debug(`Writing '${type}' INI to file '${paths_1.paths[type]}'`);
+        await writeFile(paths_1.paths[type], text);
+    },
+};

package/lib/configureProfileAsync.js

@@ -0,0 +1,77 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configureProfileAsync = void 0;
+const inquirer_1 = __importDefault(require("inquirer"));
+const awsConfig_1 = require("./awsConfig");
+async function configureProfileAsync(profileName) {
+    console.log(`Configuring profile '${profileName}'`);
+    const profile = await awsConfig_1.awsConfig.getProfileConfigAsync(profileName);
+    const questions = [
+        {
+            name: "tenantId",
+            message: "Azure Tenant ID:",
+            validate: (input) => !!input,
+            default: profile && profile.azure_tenant_id,
+        },
+        {
+            name: "appIdUri",
+            message: "Azure App ID URI:",
+            validate: (input) => !!input,
+            default: profile && profile.azure_app_id_uri,
+        },
+        {
+            name: "username",
+            message: "Default Username:",
+            default: profile && profile.azure_default_username,
+        },
+        {
+            name: "rememberMe",
+            message: "Stay logged in: skip authentication while refreshing aws credentials (true|false)",
+            default: (profile &&
+                profile.azure_default_remember_me &&
+                profile.azure_default_remember_me.toString()) ||
+                "false",
+            validate: (input) => {
+                if (input === "true" || input === "false")
+                    return true;
+                return "Remember me must be either true or false";
+            },
+        },
+        {
+            name: "defaultRoleArn",
+            message: "Default Role ARN (if multiple):",
+            default: profile && profile.azure_default_role_arn,
+        },
+        {
+            name: "defaultDurationHours",
+            message: "Default Session Duration Hours (up to 12):",
+            default: (profile && profile.azure_default_duration_hours) || 1,
+            validate: (input) => {
+                input = Number(input);
+                if (input > 0 && input <= 12)
+                    return true;
+                return "Duration hours must be between 0 and 12";
+            },
+        },
+        {
+            name: "region",
+            message: "AWS Region:",
+            default: profile && profile.region,
+        },
+    ];
+    const answers = await inquirer_1.default.prompt(questions);
+    await awsConfig_1.awsConfig.setProfileConfigValuesAsync(profileName, {
+        azure_tenant_id: answers.tenantId,
+        azure_app_id_uri: answers.appIdUri,
+        azure_default_username: answers.username,
+        azure_default_role_arn: answers.defaultRoleArn,
+        azure_default_duration_hours: answers.defaultDurationHours,
+        azure_default_remember_me: answers.rememberMe === "true",
+        region: answers.region,
+    });
+    console.log("Profile saved.");
+}
+exports.configureProfileAsync = configureProfileAsync;

package/lib/index.js

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+process.on("SIGINT", () => process.exit(1));
+process.on("SIGTERM", () => process.exit(1));
+const commander_1 = require("commander");
+const configureProfileAsync_1 = require("./configureProfileAsync");
+const login_1 = require("./login");
+const program = new commander_1.Command();
+program
+    .option("-p, --profile <name>", "The name of the profile to log in with (or configure)")
+    .option("-a, --all-profiles", "Run for all configured profiles")
+    .option("-f, --force-refresh", "Force a credential refresh, even if they are still valid")
+    .option("-c, --configure", "Configure the profile")
+    .option("-m, --mode <mode>", "'cli' to hide the login page and perform the login through the CLI (default behavior), 'gui' to perform the login through the Azure GUI (more reliable but only works on GUI operating system), 'debug' to show the login page but perform the login through the CLI (useful to debug issues with the CLI login)")
+    .option("--no-sandbox", "Disable the Puppeteer sandbox (usually necessary on Linux)")
+    .option("--no-prompt", "Do not prompt for input and accept the default choice", false)
+    .option("--enable-chrome-network-service", "Enable Chromium's Network Service (needed when login provider redirects with 3XX)")
+    .option("--no-verify-ssl", "Disable SSL Peer Verification for connections to AWS (no effect if behind proxy)")
+    .option("--enable-chrome-seamless-sso", "Enable Chromium's pass-through authentication with Azure Active Directory Seamless Single Sign-On")
+    .option("--no-disable-extensions", "Tell Puppeteer not to pass the --disable-extensions flag to Chromium")
+    .option("--disable-gpu", "Tell Puppeteer to pass the --disable-gpu flag to Chromium")
+    .parse(process.argv);
+const options = program.opts();
+const profileName = options.profile ||
+    process.env.AWS_PROFILE ||
+    "default";
+const mode = options.mode || "cli";
+const disableSandbox = !options.sandbox;
+const noPrompt = !options.prompt;
+const enableChromeNetworkService = !!options.enableChromeNetworkService;
+const awsNoVerifySsl = !options.verifySsl;
+const enableChromeSeamlessSso = !!options.enableChromeSeamlessSso;
+const forceRefresh = !!options.forceRefresh;
+const noDisableExtensions = !options.disableExtensions;
+const disableGpu = !!options.disableGpu;
+Promise.resolve()
+    .then(() => {
+    if (options.allProfiles) {
+        return login_1.login.loginAll(mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, forceRefresh, noDisableExtensions, disableGpu);
+    }
+    if (options.configure)
+        return (0, configureProfileAsync_1.configureProfileAsync)(profileName);
+    return login_1.login.loginAsync(profileName, mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, noDisableExtensions, disableGpu);
+})
+    .catch((err) => {
+    if (err.name === "CLIError") {
+        console.error(err.message);
+        process.exit(2);
+    }
+    else {
+        console.log(err);
+    }
+});