az2aws 1.6.1 → 1.7.0

package/.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+## [1.7.0](https://github.com/kuma0128/az2aws/compare/v1.6.2...v1.7.0) (2026-04-13)
+
+
+### Features
+
+* add credential_process output mode ([#95](https://github.com/kuma0128/az2aws/issues/95)) ([2a3e66f](https://github.com/kuma0128/az2aws/commit/2a3e66fcd19fd461dd2f84fc32caa383fb56990c))
+* add macOS CI coverage and separate E2E job ([#183](https://github.com/kuma0128/az2aws/issues/183)) ([cf617f8](https://github.com/kuma0128/az2aws/commit/cf617f899b5d2ba88650f7ffd26c3195dc32c695))
+* Use Windows app-data conventions for update notifier cache ([#180](https://github.com/kuma0128/az2aws/issues/180)) ([8383ae4](https://github.com/kuma0128/az2aws/commit/8383ae46a468630ce531cc9df0dd7d64f115e49c))
+
+
+### Bug Fixes
+
+* --no-prompt on account selection screen ([#173](https://github.com/kuma0128/az2aws/issues/173)) ([07c833f](https://github.com/kuma0128/az2aws/commit/07c833ff8a4553b8c32ed7841b3544776c41f907))
+* clear password input before typing to prevent appending ([#171](https://github.com/kuma0128/az2aws/issues/171)) ([dfb0d65](https://github.com/kuma0128/az2aws/commit/dfb0d65c85fdb3a38bbc2d6ccdbd492f18e97c25))
+* enforce whole number validation for session duration hours ([#167](https://github.com/kuma0128/az2aws/issues/167)) ([0bc7fb4](https://github.com/kuma0128/az2aws/commit/0bc7fb4f187dad422f08a42ece57a4b04138c51d))
+* PATH handling when installing Chrome in CI workflow ([#184](https://github.com/kuma0128/az2aws/issues/184)) ([f6fd008](https://github.com/kuma0128/az2aws/commit/f6fd008a65f7c722b78ae65121e1e20f421dc232))
+* support custom AWS config parent directories ([#172](https://github.com/kuma0128/az2aws/issues/172)) ([19753dd](https://github.com/kuma0128/az2aws/commit/19753dd769f31a72b4e0bdb84acf9638c1cd67f7))
+
+## [1.6.2](https://github.com/kuma0128/az2aws/compare/v1.6.1...v1.6.2) (2026-04-10)
+
+
+### Bug Fixes
+
+* **deps:** remove unnecessary dependency for security hardening ([#156](https://github.com/kuma0128/az2aws/issues/156)) ([b1ac64d](https://github.com/kuma0128/az2aws/commit/b1ac64d358197db094603dbc948c5f49cfa78c88))
+
 ## [1.6.1](https://github.com/kuma0128/az2aws/compare/v1.6.0...v1.6.1) (2026-04-02)
 
 

package/CONTRIBUTING.md

@@ -90,11 +90,31 @@ pnpm build && node ./lib/index.js
 | `pnpm build` | Build for production |
 | `pnpm test` | Run unit tests |
 | `pnpm test:coverage` | Run unit tests with coverage |
+| `pnpm test:e2e` | Run the live Azure→AWS browser smoke test |
 | `pnpm lint` | Run ESLint and formatting checks |
 | `pnpm eslint` | Run ESLint |
 | `pnpm prettier:check` | Check code formatting |
 | `pnpm prettier:write` | Auto-fix code formatting |
 
+### E2E Smoke Test
+
+`pnpm test:e2e` launches a real Puppeteer/Chrome session, signs in through
+Azure AD, and verifies that az2aws can retrieve AWS credentials via
+`credential_process` without persisting them to the shared credentials file.
+
+Copy `.env.example` to `.env` and fill in the values. See
+[`vitest.e2e.config.ts`](vitest.e2e.config.ts) for the Vitest settings used by
+this suite.
+
+To troubleshoot a failing run, rerun with `AZ2AWS_E2E_MODE=debug` (visible
+browser, auto-fill) or `AZ2AWS_E2E_MODE=gui` (fully manual).
+
+> **Note:** Passkey-first Microsoft accounts are not supported — use a dedicated
+> account with standard username/password/MFA.
+
+CI only runs this test on `push` to `main` and `workflow_dispatch`; PR
+validation does not depend on repository secrets.
+
 ## Development Workflow
 
 1. Create a new branch from `main`:

package/README.md

@@ -7,6 +7,17 @@
 
 Log in to AWS CLI using [Azure Active Directory](https://azure.microsoft.com) SSO. Supports MFA and places temporary credentials in the proper location for AWS CLI and SDKs.
 
+> **💡 Tip:** Let's be honest — typing `az2aws` correctly on the first try is harder than the AWS certification exam. Save your sanity:
+>
+> ```sh
+> # Add to your ~/.zshrc or ~/.bashrc
+> alias a2='az2aws'
+> # or
+> alias aa='az2aws'
+> ```
+>
+> Your fingers will thank you. Your keyboard will thank you. Your coworkers will stop hearing you swear.
+
 ## Installation
 
 ### mise (Recommended)
@@ -56,9 +67,13 @@ You must install [puppeteer dependencies](https://github.com/GoogleChrome/puppet
 
 #### Windows Notes
 
-If you get a missing Chrome/Chromium error, install the puppeteer dependency manually:
+If you get a missing Chrome/Chromium error, reinstall the Puppeteer browser from the installed `az2aws` package directory:
+
+    node <npm_global_node_modules>\az2aws\node_modules\puppeteer\install.mjs
 
-    node <node_modules_dir>/az2aws/node_modules/puppeteer/install.js
+For an npm global install, replace `<npm_global_node_modules>` with the output of `npm root -g`.
+If you installed az2aws with pnpm or another package manager, locate `puppeteer/install.mjs`
+under the installed `az2aws` package directory and run it with `node`.
 
 ### Docker
 
@@ -101,6 +116,7 @@ https://snapcraft.io/az2aws
 | `--no-disable-extensions` | Keep browser extensions enabled |
 | `--disable-gpu` | Disable GPU acceleration |
 | `--incognito` | Open the login flow in an incognito browser context |
+| `--credential-process` | Output credentials for AWS CLI credential_process |
 | `--version (-v)` | Show version number |
 
 ## Usage
@@ -137,6 +153,29 @@ Enable "Stay logged in" during configuration to use `--no-prompt` without storin
 helps avoid reusing an existing browser session, and it overrides any saved
 "Stay logged in" browser state for that run.
 
+#### AWS CLI credential_process
+
+Configure the profile first so it has the defaults needed for non-interactive
+login, then point AWS CLI at `az2aws`:
+
+    [profile myprofile]
+    credential_process = az2aws --profile myprofile --credential-process
+
+`--credential-process` uses the same non-interactive defaults as `--no-prompt`,
+so make sure the profile already has the role and other required values set.
+Standard output is reserved for the AWS CLI JSON payload, while human-readable
+status messages are written to stderr.
+
+Example stdout payload:
+
+    {
+      "Version": 1,
+      "AccessKeyId": "...",
+      "SecretAccessKey": "...",
+      "SessionToken": "...",
+      "Expiration": "2026-01-01T00:00:00.000Z"
+    }
+
 #### Environment Variables
 
 You can set defaults via environment variables (use with `--no-prompt`):
@@ -181,10 +220,15 @@ Example:
     az2aws                    # Default profile
     az2aws --profile foo      # Named profile
     az2aws --mode gui         # Use browser UI (more reliable)
+    az2aws --mode debug       # Show the browser while az2aws still drives the flow
     az2aws --mode gui --incognito  # Open a fresh incognito login window
 
 You'll be prompted for username, password, and MFA if required. After login, use AWS CLI/SDKs as usual.
 
+`--mode gui` is fully manual and waits for you to complete the browser flow
+yourself. If you want the browser to stay visible while az2aws still auto-fills
+the login steps, use `--mode debug`.
+
 **Tips:**
 - Set `AWS_PROFILE` env var instead of using `--profile`
 - Use `--mode gui --disable-gpu` on VMs or if rendering fails
@@ -206,6 +250,13 @@ If you see device compliance errors (e.g., "Device UnSecured Or Non-Compliant"),
 Try:
  `--mode gui` and use your system Chrome via `BROWSER_CHROME_BIN`.
 
+If your Microsoft account requires a saved passkey prompt before the username
+or password page appears, that flow is unsupported in `az2aws --mode cli`.
+The prompt is rendered by the browser/OS passkey UI instead of the page DOM,
+so az2aws cannot dismiss it automatically. Use `--mode gui` and handle it
+manually, or use an account that can continue with the standard page-based
+username/password/MFA flow.
+
 If you see "Unable to recognize page state!", Azure's login pages may have
 changed. Try:
 

package/lib/awsConfig.js

@@ -7,11 +7,81 @@ exports.awsConfig = void 0;
 const ini_1 = __importDefault(require("ini"));
 const debug_1 = __importDefault(require("debug"));
 const paths_1 = require("./paths");
-const mkdirp_1 = require("mkdirp");
+const promises_1 = require("node:fs/promises");
 const fs_1 = __importDefault(require("fs"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const path_1 = __importDefault(require("path"));
 const util_1 = __importDefault(require("util"));
 const debug = (0, debug_1.default)("az2aws");
 const writeFile = util_1.default.promisify(fs_1.default.writeFile);
+const awsDirMode = 0o700;
+const awsFileMode = 0o600;
+const ignoredChmodErrorCodes = new Set([
+    "EACCES",
+    "EINVAL",
+    "ENOSYS",
+    "ENOTSUP",
+    "EPERM",
+    "EROFS",
+]);
+async function hardenPathPermissions(fsPath, mode) {
+    if (process.platform === "win32") {
+        return;
+    }
+    try {
+        await (0, promises_1.chmod)(fsPath, mode);
+    }
+    catch (error) {
+        const code = error.code;
+        if (typeof code === "string" && ignoredChmodErrorCodes.has(code)) {
+            debug(`Skipping permission hardening due to ${code}`);
+            return;
+        }
+        throw error;
+    }
+}
+async function hardenCreatedDirectories(createdDir, targetDir) {
+    const resolvedCreatedDir = path_1.default.resolve(createdDir);
+    const resolvedTargetDir = path_1.default.resolve(targetDir);
+    const relativeTargetDir = path_1.default.relative(resolvedCreatedDir, resolvedTargetDir);
+    if (relativeTargetDir === ".." ||
+        relativeTargetDir.startsWith(`..${path_1.default.sep}`) ||
+        path_1.default.isAbsolute(relativeTargetDir)) {
+        debug("Skipping permission hardening because the target directory is not within the created directory.");
+        return;
+    }
+    let currentDir = resolvedCreatedDir;
+    await hardenPathPermissions(currentDir, awsDirMode);
+    if (!relativeTargetDir) {
+        return;
+    }
+    for (const segment of relativeTargetDir.split(path_1.default.sep)) {
+        if (!segment || segment === ".") {
+            continue;
+        }
+        currentDir = path_1.default.join(currentDir, segment);
+        await hardenPathPermissions(currentDir, awsDirMode);
+    }
+}
+async function atomicWriteTextFile(targetPath, text) {
+    const targetDir = path_1.default.dirname(targetPath);
+    const tempPath = targetDir === "."
+        ? `.${path_1.default.basename(targetPath)}.${node_crypto_1.default.randomUUID()}.tmp`
+        : path_1.default.join(targetDir, `.${path_1.default.basename(targetPath)}.${node_crypto_1.default.randomUUID()}.tmp`);
+    let shouldCleanupTempPath = false;
+    try {
+        await writeFile(tempPath, text);
+        shouldCleanupTempPath = true;
+        await hardenPathPermissions(tempPath, awsFileMode);
+        await (0, promises_1.rename)(tempPath, targetPath);
+        shouldCleanupTempPath = false;
+    }
+    finally {
+        if (shouldCleanupTempPath) {
+            await (0, promises_1.rm)(tempPath, { force: true }).catch(() => undefined);
+        }
+    }
+}
 // Autorefresh credential time limit in milliseconds
 const refreshLimitInMs = 11 * 60 * 1000;
 exports.awsConfig = {
@@ -71,11 +141,12 @@ exports.awsConfig = {
         return profiles;
     },
     async _loadAsync(type) {
-        if (!paths_1.paths[type])
+        const targetPath = paths_1.paths[type];
+        if (!targetPath)
             throw new Error(`Unknown config type: '${type}'`);
         return new Promise((resolve, reject) => {
-            debug(`Loading '${type}' file at '${paths_1.paths[type]}'`);
-            fs_1.default.readFile(paths_1.paths[type], "utf8", (err, data) => {
+            debug(`Loading '${type}' file`);
+            fs_1.default.readFile(targetPath, "utf8", (err, data) => {
                 if (err) {
                     if (err.code === "ENOENT") {
                         debug(`File not found. Returning undefined.`);
@@ -86,23 +157,45 @@ exports.awsConfig = {
                     }
                 }
                 debug("Parsing data");
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any
                 const parsedIni = ini_1.default.parse(data);
-                // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
                 return resolve(parsedIni);
             });
         });
     },
     async _saveAsync(type, data) {
-        if (!paths_1.paths[type])
+        const targetPath = paths_1.paths[type];
+        if (!targetPath)
             throw new Error(`Unknown config type: '${type}'`);
         if (!data)
             throw new Error(`You must provide data for saving.`);
         debug(`Stringifying ${type} INI data`);
         const text = ini_1.default.stringify(data);
-        debug(`Creating AWS config directory '${paths_1.paths.awsDir}' if not exists.`);
-        await (0, mkdirp_1.mkdirp)(paths_1.paths.awsDir);
-        debug(`Writing '${type}' INI to file '${paths_1.paths[type]}'`);
-        await writeFile(paths_1.paths[type], text);
+        const targetDir = path_1.default.dirname(targetPath);
+        const isDefaultAwsDir = path_1.default.resolve(targetDir) === path_1.default.resolve(paths_1.paths.awsDir);
+        if (targetDir !== ".") {
+            debug(`Creating target directory for '${type}' if it does not exist.`);
+            const createdDir = await (0, promises_1.mkdir)(targetDir, {
+                recursive: true,
+                mode: awsDirMode,
+            });
+            if (isDefaultAwsDir) {
+                await hardenPathPermissions(targetDir, awsDirMode);
+            }
+            else if (createdDir) {
+                await hardenCreatedDirectories(createdDir, targetDir);
+            }
+            else {
+                debug("Skipping directory permission hardening for existing custom directory.");
+            }
+        }
+        else {
+            debug(`Skipping target directory creation for '${type}' because it uses the current working directory.`);
+        }
+        debug(`Writing '${type}' INI to file atomically`);
+        await atomicWriteTextFile(targetPath, text);
+        // Defensive: atomicWriteTextFile already sets permissions on the temp file
+        // before rename, but we re-apply here in case rename semantics differ across
+        // platforms or file-systems.
+        await hardenPathPermissions(targetPath, awsFileMode);
     },
 };

package/lib/configureProfileAsync.js

@@ -5,8 +5,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.configureProfileAsync = configureProfileAsync;
 const inquirer_1 = __importDefault(require("inquirer"));
+const CLIError_1 = require("./CLIError");
 const awsConfig_1 = require("./awsConfig");
+const sessionDuration_1 = require("./sessionDuration");
 async function configureProfileAsync(profileName) {
+    var _a;
     console.log(`Configuring profile '${profileName}'`);
     const profile = await awsConfig_1.awsConfig.getProfileConfigAsync(profileName);
     const questions = [
@@ -54,13 +57,8 @@ async function configureProfileAsync(profileName) {
             type: "input",
             name: "defaultDurationHours",
             message: "Default Session Duration Hours (up to 12):",
-            default: (profile && profile.azure_default_duration_hours) || 1,
-            validate: (input) => {
-                const num = Number(input);
-                if (num > 0 && num <= 12)
-                    return true;
-                return "Duration hours must be between 1 and 12";
-            },
+            default: (_a = (0, sessionDuration_1.parseSessionDurationHours)(profile === null || profile === void 0 ? void 0 : profile.azure_default_duration_hours)) !== null && _a !== void 0 ? _a : 1,
+            validate: sessionDuration_1.validateSessionDurationHours,
         },
         {
             type: "input",
@@ -70,12 +68,16 @@ async function configureProfileAsync(profileName) {
         },
     ];
     const answers = await inquirer_1.default.prompt(questions);
+    const defaultDurationHours = (0, sessionDuration_1.parseSessionDurationHours)(answers.defaultDurationHours);
+    if (defaultDurationHours === null) {
+        throw new CLIError_1.CLIError(sessionDuration_1.sessionDurationHoursValidationMessage);
+    }
     await awsConfig_1.awsConfig.setProfileConfigValuesAsync(profileName, {
         azure_tenant_id: answers.tenantId,
         azure_app_id_uri: answers.appIdUri,
         azure_default_username: answers.username,
         azure_default_role_arn: answers.defaultRoleArn,
-        azure_default_duration_hours: answers.defaultDurationHours,
+        azure_default_duration_hours: String(defaultDurationHours),
         azure_default_remember_me: answers.rememberMe === "true",
         region: answers.region,
     });

package/lib/index.js

@@ -6,7 +6,9 @@ process.on("SIGTERM", () => process.exit(1));
 const commander_1 = require("commander");
 const configureProfileAsync_1 = require("./configureProfileAsync");
 const login_1 = require("./login");
+const sensitiveOutput_1 = require("./sensitiveOutput");
 const updateNotifier_1 = require("./updateNotifier");
+const validateCliOptions_1 = require("./validateCliOptions");
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const { version } = require("../package.json");
 const program = new commander_1.Command();
@@ -24,6 +26,7 @@ program
     .option("--enable-chrome-seamless-sso", "Enable Chromium's pass-through authentication with Azure Active Directory Seamless Single Sign-On")
     .option("--no-disable-extensions", "Tell Puppeteer not to pass the --disable-extensions flag to Chromium")
     .option("--disable-gpu", "Tell Puppeteer to pass the --disable-gpu flag to Chromium")
+    .option("--credential-process", "Output credentials in JSON format for AWS CLI credential_process")
     .option("--incognito", "Launch Chromium in incognito mode")
     .parse(process.argv);
 const options = program.opts();
@@ -39,6 +42,7 @@ const enableChromeSeamlessSso = !!options.enableChromeSeamlessSso;
 const forceRefresh = !!options.forceRefresh;
 const noDisableExtensions = !options.disableExtensions;
 const disableGpu = !!options.disableGpu;
+const credentialProcess = !!options.credentialProcess;
 const incognito = !!options.incognito;
 // Start the update lookup immediately, but only print after the main flow ends.
 const updateCheckPromise = (0, updateNotifier_1.checkForUpdate)(version, {
@@ -47,6 +51,11 @@ const updateCheckPromise = (0, updateNotifier_1.checkForUpdate)(version, {
 async function runAsync() {
     let exitCode = 0;
     try {
+        (0, validateCliOptions_1.validateCliOptions)({
+            allProfiles: !!options.allProfiles,
+            configure: !!options.configure,
+            credentialProcess,
+        });
         if (options.allProfiles) {
             await login_1.login.loginAll(mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, forceRefresh, noDisableExtensions, disableGpu, incognito);
         }
@@ -54,16 +63,20 @@ async function runAsync() {
             await (0, configureProfileAsync_1.configureProfileAsync)(profileName);
         }
         else {
-            await login_1.login.loginAsync(profileName, mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, noDisableExtensions, disableGpu, incognito);
+            await login_1.login.loginAsync(profileName, mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, noDisableExtensions, disableGpu, incognito, credentialProcess);
         }
     }
     catch (err) {
         if (err instanceof Error && err.name === "CLIError") {
-            console.error(err.message);
+            console.error((0, sensitiveOutput_1.formatCliErrorMessage)(err.message));
             exitCode = 2;
         }
+        else if (err instanceof Error) {
+            console.error((0, sensitiveOutput_1.formatUnexpectedErrorMessage)(err));
+            exitCode = 1;
+        }
         else {
-            console.error(err);
+            console.error((0, sensitiveOutput_1.formatUnexpectedErrorMessage)(err));
             exitCode = 1;
         }
     }