az2aws 1.1.2 → 1.2.0

package/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "1.1.2"
+  ".": "1.2.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [1.2.0](https://github.com/kuma0128/az2aws/compare/v1.1.3...v1.2.0) (2026-01-22)
+
+
+### Features
+
+* Add version flag to CLI command ([#67](https://github.com/kuma0128/az2aws/issues/67)) ([b89290f](https://github.com/kuma0128/az2aws/commit/b89290fe16d554f6a8a1bf09df0194a64d692b55))
+
+
+### Bug Fixes
+
+* Add default duration of 1 hour if parsing fails ([#70](https://github.com/kuma0128/az2aws/issues/70)) ([337d12c](https://github.com/kuma0128/az2aws/commit/337d12c90ab0eccf4034bd438ecfb2f0ad98db47))
+* Fix SAML assertion decoding to use UTF-8 encoding ([#72](https://github.com/kuma0128/az2aws/issues/72)) ([14e44a7](https://github.com/kuma0128/az2aws/commit/14e44a7ffe19e48177078aa6d87feb7e8ecf0c94))
+* resolve --no-verify-ssl and proxy settings conflict ([#73](https://github.com/kuma0128/az2aws/issues/73)) ([3fd9adf](https://github.com/kuma0128/az2aws/commit/3fd9adf6dd39109bb428b56215200ad1df3752a9))
+
+## [1.1.3](https://github.com/kuma0128/az2aws/compare/v1.1.2...v1.1.3) (2026-01-19)
+
+
+### Bug Fixes
+
+* snapcraft deploy flow ([#65](https://github.com/kuma0128/az2aws/issues/65)) ([a4a41d7](https://github.com/kuma0128/az2aws/commit/a4a41d79c3142762f3d593796c8bf31b558bb8fe))
+
 ## [1.1.2](https://github.com/kuma0128/az2aws/compare/v1.1.1...v1.1.2) (2026-01-19)
 
 

package/README.md

@@ -5,13 +5,13 @@
 
 # az2aws
 
-If your organization uses [Azure Active Directory](https://azure.microsoft.com) to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the [AWS CLI](https://aws.amazon.com/cli/). This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
+Log in to AWS CLI using [Azure Active Directory](https://azure.microsoft.com) SSO. Supports MFA and places temporary credentials in the proper location for AWS CLI and SDKs.
 
 ## Installation
 
 ### mise (Recommended)
 
-[mise](https://mise.jdx.dev/) is a polyglot version manager that can install az2aws directly.
+[mise](https://mise.jdx.dev/) is a version manager that can install az2aws directly.
 
 Install mise:
 
@@ -66,12 +66,10 @@ Run az2aws with a volume mounted to your AWS configuration directory:
 
     docker run --rm -it -v ~/.aws:/root/.aws az2aws/az2aws
 
-The Docker image is configured with an entrypoint so you can just feed any arguments in at the end.
-
-You can also put the docker-launch.sh script into your bin directory for the az2aws command to function as usual:
+You can also install the docker-launch.sh script to your PATH:
 
     # Download the script (replace VERSION with a specific release tag, e.g., v1.0.0)
-    curl -o /tmp/az2aws https://raw.githubusercontent.com/az2aws/az2aws/VERSION/docker-launch.sh -L
+    curl -o /tmp/az2aws https://raw.githubusercontent.com/kuma0128/az2aws/VERSION/docker-launch.sh -L
 
     # IMPORTANT: Review the script before installing
     cat /tmp/az2aws
@@ -80,9 +78,7 @@ You can also put the docker-launch.sh script into your bin directory for the az2
     sudo mv /tmp/az2aws /usr/local/bin/az2aws
     sudo chmod +x /usr/local/bin/az2aws
 
-> **Security Note:** Always download from a specific release tag (not `main`) and review the script contents before installing. Downloading and executing scripts directly from mutable branch heads poses a supply chain risk.
-
-Now just run `az2aws`.
+> **Security Note:** Always download from a specific release tag (not `main`) and review the script before installing.
 
 ### Snap
 
@@ -104,13 +100,12 @@ https://snapcraft.io/az2aws
 | `--enable-chrome-seamless-sso` | Enable Azure AD Seamless SSO |
 | `--no-disable-extensions` | Keep browser extensions enabled |
 | `--disable-gpu` | Disable GPU acceleration |
+| `--version (-v)` | Show version number |
 
 ## Usage
 
 ### Configuration
 
-#### AWS
-
 To configure the az2aws client run:
 
     az2aws --configure
@@ -119,22 +114,16 @@ You'll need your [Azure Tenant ID and the App ID URI](#getting-your-tenant-id-an
 
     az2aws --configure --profile foo
 
-##### GovCloud Support
-
-To use az2aws with AWS GovCloud, set the `region` profile property in your ~/.aws/config to the one of the GovCloud regions:
-
-- us-gov-west-1
-- us-gov-east-1
-
-##### China Region Support
+#### GovCloud / China Region Support
 
-To use az2aws with AWS China Cloud, set the `region` profile property in your ~/.aws/config to the China region:
+Set the `region` in your ~/.aws/config to use non-standard AWS partitions:
 
-- cn-north-1
+- **GovCloud**: us-gov-west-1, us-gov-east-1
+- **China**: cn-north-1, cn-northwest-1
 
 #### Stay Logged In
 
-During configuration, you can enable "Stay logged in" to skip username/password/MFA on subsequent logins. Session cookies will remember your identity, allowing you to use `--no-prompt` without storing passwords:
+Enable "Stay logged in" during configuration to use `--no-prompt` without storing passwords:
 
     az2aws --no-prompt
     az2aws --profile foo --no-prompt
@@ -154,28 +143,26 @@ To avoid storing passwords in bash history, use a leading space:
 
 #### Use an Existing Chrome Install and Profile
 
-Instead of using the bundled Chromium, you can use an existing Chrome installation with your own user profile by setting the following environment variables:
+Use your own Chrome installation by setting these environment variables:
 
 - `BROWSER_CHROME_BIN` - Path to Chrome executable
 - `BROWSER_USER_DATA_DIR` - Chrome user data directory
 - `BROWSER_PROFILE_DIR` - Chrome profile name (e.g., "Default")
 
-Example (macOS):
+Example:
 
+    # macOS
     export BROWSER_CHROME_BIN="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
-    export BROWSER_USER_DATA_DIR="/Users/<user>/Library/Application Support/Google/Chrome"
-    export BROWSER_PROFILE_DIR="Default"
-    az2aws --mode gui --no-disable-extensions --no-sandbox
-
-Example (Linux):
+    export BROWSER_USER_DATA_DIR="$HOME/Library/Application Support/Google/Chrome"
 
+    # Linux
     export BROWSER_CHROME_BIN="/usr/bin/google-chrome"
-    export BROWSER_USER_DATA_DIR="/home/<user>/.config/google-chrome"
+    export BROWSER_USER_DATA_DIR="$HOME/.config/google-chrome"
+
+    # Common
     export BROWSER_PROFILE_DIR="Default"
     az2aws --mode gui --no-disable-extensions --no-sandbox
 
-Using Chrome instead of Chromium allows you to use browser extensions such as password managers.
-
 ### Logging In
 
     az2aws                    # Default profile
@@ -187,12 +174,11 @@ You'll be prompted for username, password, and MFA if required. After login, use
 **Tips:**
 - Set `AWS_PROFILE` env var instead of using `--profile`
 - Use `--mode gui --disable-gpu` on VMs or if rendering fails
-- Use `--no-sandbox` on Linux
 - Set `https_proxy` env var for corporate proxy
 
 ## Automation
 
-Renew all profiles at once (useful for short session limits):
+Renew all profiles at once:
 
     az2aws --all-profiles
     az2aws --all-profiles --no-prompt    # With "Stay logged in" enabled
@@ -201,21 +187,21 @@ Credentials are only refreshed if expiring within 11 minutes - safe to run as a
 
 ## Getting Your Tenant ID and App ID URI
 
-Your Azure AD system admin should be able to provide you with your Tenant ID and App ID URI. If you can't get it from them, you can scrape it from a login page from the myapps.microsoft.com page.
+Ask your Azure AD admin for these values, or extract them from myapps.microsoft.com:
 
 1. Load the myapps.microsoft.com page.
-2. Click the chicklet for the login you want.
-3. In the window the pops open quickly copy the login.microsoftonline.com URL. (If you miss it just try again. You can also open the developer console with nagivation preservation to capture the URL.)
+2. Click the app tile for the login you want.
+3. In the window that pops open, quickly copy the login.microsoftonline.com URL. (You can also use browser DevTools with "Preserve log" enabled to capture it.)
 4. The GUID right after login.microsoftonline.com/ is the tenant ID.
 5. Copy the SAMLRequest URL param.
 6. Paste it into a URL decoder ([like this one](https://www.samltool.com/url.php)) and decode.
-7. Paste the decoded output into the a SAML deflated and encoded XML decoder ([like this one](https://www.samltool.com/decode.php)).
+7. Paste the decoded output into a SAML deflated and encoded XML decoder ([like this one](https://www.samltool.com/decode.php)).
 8. In the decoded XML output the value of the `Audience` tag is the App ID URI.
-9. You may double-check tenant ID using `Attribute` tag named `tenantid` provided in XML.
+9. Verify the tenant ID using the `tenantid` attribute in the XML.
 
 ## How It Works
 
-The Azure login page uses JavaScript, which requires a real web browser. To automate this from a command line, az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer), which automates a real Chromium browser. It loads the Azure login page behind the scenes, populates your username and password (and MFA token), parses the SAML assertion, uses the [AWS STS AssumeRoleWithSAML API](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials, and saves these in the CLI credentials file.
+az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer) to automate a Chromium browser for Azure AD login. It parses the SAML response and calls [AWS STS AssumeRoleWithSAML](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials.
 
 ## Troubleshooting
 
@@ -227,7 +213,7 @@ If login fails, try these in order:
 
 ## Support for Other Authentication Providers
 
-Obviously, this tool only supports Azure AD as an identity provider. However, there is a lot of similarity with how other logins with other providers would work (especially if they are SAML providers). If you are interested in building support for a different provider let me know. It would be great to build a more generic AWS CLI login tool with plugins for the various providers.
+This tool only supports Azure AD. Contributions for other SAML providers are welcome - open an issue on GitHub to discuss.
 
 ## Acknowledgements
 

package/lib/index.js

@@ -6,8 +6,11 @@ process.on("SIGTERM", () => process.exit(1));
 const commander_1 = require("commander");
 const configureProfileAsync_1 = require("./configureProfileAsync");
 const login_1 = require("./login");
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { version } = require("../package.json");
 const program = new commander_1.Command();
 program
+    .version(version, "-v, --version")
     .option("-p, --profile <name>", "The name of the profile to log in with (or configure)")
     .option("-a, --all-profiles", "Run for all configured profiles")
     .option("-f, --force-refresh", "Force a credential refresh, even if they are still valid")
@@ -16,7 +19,7 @@ program
     .option("--no-sandbox", "Disable the Puppeteer sandbox (usually necessary on Linux)")
     .option("--no-prompt", "Do not prompt for input and accept the default choice", false)
     .option("--enable-chrome-network-service", "Enable Chromium's Network Service (needed when login provider redirects with 3XX)")
-    .option("--no-verify-ssl", "Disable SSL Peer Verification for connections to AWS (no effect if behind proxy)")
+    .option("--no-verify-ssl", "Disable SSL Peer Verification for connections to AWS")
     .option("--enable-chrome-seamless-sso", "Enable Chromium's pass-through authentication with Azure Active Directory Seamless Single Sign-On")
     .option("--no-disable-extensions", "Tell Puppeteer not to pass the --disable-extensions flag to Chromium")
     .option("--disable-gpu", "Tell Puppeteer to pass the --disable-gpu flag to Chromium")
@@ -49,6 +52,7 @@ Promise.resolve()
         process.exit(2);
     }
     else {
-        console.log(err);
+        console.error(err);
+        process.exit(1);
     }
 });

package/lib/login.js

@@ -16,7 +16,7 @@ const querystring_1 = __importDefault(require("querystring"));
 const debug_1 = __importDefault(require("debug"));
 const CLIError_1 = require("./CLIError");
 const awsConfig_1 = require("./awsConfig");
-const proxy_agent_1 = __importDefault(require("proxy-agent"));
+const https_proxy_agent_1 = require("https-proxy-agent");
 const paths_1 = require("./paths");
 const mkdirp_1 = __importDefault(require("mkdirp"));
 const https_1 = require("https");
@@ -674,8 +674,8 @@ exports.login = {
      * @private
      */
     _parseRolesFromSamlResponse(assertion) {
-        debug("Converting assertion from base64 to ASCII");
-        const samlText = Buffer.from(assertion, "base64").toString("ascii");
+        debug("Converting assertion from base64 to UTF-8");
+        const samlText = Buffer.from(assertion, "base64").toString("utf8");
         debug("Converted", samlText);
         debug("Parsing SAML XML");
         const saml = (0, cheerio_1.load)(samlText, { xmlMode: true });
@@ -710,7 +710,7 @@ exports.login = {
      */
     async _askUserForRoleAndDurationAsync(roles, noPrompt, defaultRoleArn, defaultDurationHours) {
         let role;
-        let durationHours = parseInt(defaultDurationHours, 10);
+        let durationHours = parseInt(defaultDurationHours, 10) || 1;
         const questions = [];
         if (roles.length === 0) {
             throw new CLIError_1.CLIError("No roles found in SAML response.");
@@ -784,18 +784,21 @@ exports.login = {
         var _a, _b, _c, _d, _e;
         console.log(`Assuming role ${role.roleArn} in region ${region}...`);
         let stsOptions = {};
+        if (awsNoVerifySsl) {
+            console.warn("WARNING: SSL certificate verification is disabled. " +
+                "This makes the connection vulnerable to MITM attacks. " +
+                "Consider using NODE_EXTRA_CA_CERTS environment variable instead.");
+        }
         if (process.env.https_proxy) {
+            const proxyOptions = awsNoVerifySsl ? { rejectUnauthorized: false } : {};
             stsOptions = {
                 ...stsOptions,
                 requestHandler: new node_http_handler_1.NodeHttpHandler({
-                    httpsAgent: (0, proxy_agent_1.default)(process.env.https_proxy),
+                    httpsAgent: new https_proxy_agent_1.HttpsProxyAgent(process.env.https_proxy, proxyOptions),
                 }),
             };
         }
-        if (awsNoVerifySsl) {
-            console.warn("WARNING: SSL certificate verification is disabled. " +
-                "This makes the connection vulnerable to MITM attacks. " +
-                "Consider using NODE_EXTRA_CA_CERTS environment variable instead.");
+        else if (awsNoVerifySsl) {
             stsOptions = {
                 ...stsOptions,
                 requestHandler: new node_http_handler_1.NodeHttpHandler({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "az2aws",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Use Azure AD SSO to log into the AWS CLI. A modern, actively maintained alternative to aws-azure-login.",
   "main": "index.js",
   "author": {
@@ -60,11 +60,11 @@
     "cheerio": "^1.0.0-rc.10",
     "commander": "^9.5.0",
     "debug": "^4.3.1",
+    "https-proxy-agent": "^7.0.6",
     "ini": "^3.0.1",
     "inquirer": "^8.2.6",
     "lodash": "^4.17.21",
     "mkdirp": "^1.0.4",
-    "proxy-agent": "^6.4.0",
     "puppeteer": "^24.34.0",
     "uuid": "^8.3.2"
   },