az2aws 1.6.2 → 1.8.0

package/.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## [1.8.0](https://github.com/kuma0128/az2aws/compare/v1.7.0...v1.8.0) (2026-04-27)
+
+
+### Features
+
+* show saved credential usage details ([#206](https://github.com/kuma0128/az2aws/issues/206)) ([04855cf](https://github.com/kuma0128/az2aws/commit/04855cf18e42f84ec2d639c825b0b6233730c3a0))
+
+
+### Bug Fixes
+
+* **login:** retry managed profile reset on Windows lock errors ([#199](https://github.com/kuma0128/az2aws/issues/199)) ([a4ad1c7](https://github.com/kuma0128/az2aws/commit/a4ad1c76d0f193cee16f17319e47449c6b5cba44))
+* **login:** skip non-az2aws profiles in --all-profiles ([#196](https://github.com/kuma0128/az2aws/issues/196)) ([0dc6820](https://github.com/kuma0128/az2aws/commit/0dc6820775ebf03637dda78a899e0e2c16c25561))
+* outdated references in README and docker-launch.sh ([#192](https://github.com/kuma0128/az2aws/issues/192)) ([79421ae](https://github.com/kuma0128/az2aws/commit/79421ae4c6c734cb81b37fde6a457e2b9c0752e8))
+
+
+### Performance Improvements
+
+* switch CI to Corepack and drop manual pnpm store cache ([a27b64c](https://github.com/kuma0128/az2aws/commit/a27b64c4183382a10618a6dfcae0ccf803261894))
+
+## [1.7.0](https://github.com/kuma0128/az2aws/compare/v1.6.2...v1.7.0) (2026-04-13)
+
+
+### Features
+
+* add credential_process output mode ([#95](https://github.com/kuma0128/az2aws/issues/95)) ([2a3e66f](https://github.com/kuma0128/az2aws/commit/2a3e66fcd19fd461dd2f84fc32caa383fb56990c))
+* add macOS CI coverage and separate E2E job ([#183](https://github.com/kuma0128/az2aws/issues/183)) ([cf617f8](https://github.com/kuma0128/az2aws/commit/cf617f899b5d2ba88650f7ffd26c3195dc32c695))
+* Use Windows app-data conventions for update notifier cache ([#180](https://github.com/kuma0128/az2aws/issues/180)) ([8383ae4](https://github.com/kuma0128/az2aws/commit/8383ae46a468630ce531cc9df0dd7d64f115e49c))
+
+
+### Bug Fixes
+
+* --no-prompt on account selection screen ([#173](https://github.com/kuma0128/az2aws/issues/173)) ([07c833f](https://github.com/kuma0128/az2aws/commit/07c833ff8a4553b8c32ed7841b3544776c41f907))
+* clear password input before typing to prevent appending ([#171](https://github.com/kuma0128/az2aws/issues/171)) ([dfb0d65](https://github.com/kuma0128/az2aws/commit/dfb0d65c85fdb3a38bbc2d6ccdbd492f18e97c25))
+* enforce whole number validation for session duration hours ([#167](https://github.com/kuma0128/az2aws/issues/167)) ([0bc7fb4](https://github.com/kuma0128/az2aws/commit/0bc7fb4f187dad422f08a42ece57a4b04138c51d))
+* PATH handling when installing Chrome in CI workflow ([#184](https://github.com/kuma0128/az2aws/issues/184)) ([f6fd008](https://github.com/kuma0128/az2aws/commit/f6fd008a65f7c722b78ae65121e1e20f421dc232))
+* support custom AWS config parent directories ([#172](https://github.com/kuma0128/az2aws/issues/172)) ([19753dd](https://github.com/kuma0128/az2aws/commit/19753dd769f31a72b4e0bdb84acf9638c1cd67f7))
+
 ## [1.6.2](https://github.com/kuma0128/az2aws/compare/v1.6.1...v1.6.2) (2026-04-10)
 
 

package/CONTRIBUTING.md

@@ -90,11 +90,31 @@ pnpm build && node ./lib/index.js
 | `pnpm build` | Build for production |
 | `pnpm test` | Run unit tests |
 | `pnpm test:coverage` | Run unit tests with coverage |
+| `pnpm test:e2e` | Run the live Azure→AWS browser smoke test |
 | `pnpm lint` | Run ESLint and formatting checks |
 | `pnpm eslint` | Run ESLint |
 | `pnpm prettier:check` | Check code formatting |
 | `pnpm prettier:write` | Auto-fix code formatting |
 
+### E2E Smoke Test
+
+`pnpm test:e2e` launches a real Puppeteer/Chrome session, signs in through
+Azure AD, and verifies that az2aws can retrieve AWS credentials via
+`credential_process` without persisting them to the shared credentials file.
+
+Copy `.env.example` to `.env` and fill in the values. See
+[`vitest.e2e.config.ts`](vitest.e2e.config.ts) for the Vitest settings used by
+this suite.
+
+To troubleshoot a failing run, rerun with `AZ2AWS_E2E_MODE=debug` (visible
+browser, auto-fill) or `AZ2AWS_E2E_MODE=gui` (fully manual).
+
+> **Note:** Passkey-first Microsoft accounts are not supported — use a dedicated
+> account with standard username/password/MFA.
+
+CI only runs this test on `push` to `main` and `workflow_dispatch`; PR
+validation does not depend on repository secrets.
+
 ## Development Workflow
 
 1. Create a new branch from `main`:

package/README.md

@@ -5,7 +5,7 @@
 
 # az2aws
 
-Log in to AWS CLI using [Azure Active Directory](https://azure.microsoft.com) SSO. Supports MFA and places temporary credentials in the proper location for AWS CLI and SDKs.
+Log in to AWS CLI using [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/) SSO. Supports MFA and places temporary credentials in the proper location for AWS CLI and SDKs.
 
 > **💡 Tip:** Let's be honest — typing `az2aws` correctly on the first try is harder than the AWS certification exam. Save your sanity:
 >
@@ -18,6 +18,25 @@ Log in to AWS CLI using [Azure Active Directory](https://azure.microsoft.com) SS
 >
 > Your fingers will thank you. Your keyboard will thank you. Your coworkers will stop hearing you swear.
 
+## Contents
+
+- [Installation](#installation)
+  - [mise (Recommended)](#mise-recommended)
+  - [npm](#npm)
+  - [Docker](#docker)
+  - [Snap](#snap)
+- [Command Options](#command-options)
+- [Usage](#usage)
+  - [Configuration](#configuration)
+  - [Logging In](#logging-in)
+- [Automation](#automation)
+  - [Which profiles `--all-profiles` refreshes](#which-profiles---all-profiles-refreshes)
+- [Getting Your Tenant ID and App ID URI](#getting-your-tenant-id-and-app-id-uri)
+- [How It Works](#how-it-works)
+- [Troubleshooting](#troubleshooting)
+- [Support for Other Authentication Providers](#support-for-other-authentication-providers)
+- [Acknowledgements](#acknowledgements)
+
 ## Installation
 
 ### mise (Recommended)
@@ -50,11 +69,11 @@ Install [Node.js](https://nodejs.org/) v24 or higher, then install az2aws:
 
 #### Linux Notes
 
-You must install [puppeteer dependencies](https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#chrome-headless-doesnt-launch) first.
+You must install [puppeteer dependencies](https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md) first.
 
 **Install for all users:**
 
-    sudo npm install -g az2aws --unsafe-perm
+    sudo npm install -g az2aws
     sudo chmod -R go+rx $(npm root -g)
 
 **Install for current user only:**
@@ -67,15 +86,19 @@ You must install [puppeteer dependencies](https://github.com/GoogleChrome/puppet
 
 #### Windows Notes
 
-If you get a missing Chrome/Chromium error, install the puppeteer dependency manually:
+If you get a missing Chrome/Chromium error, reinstall the Puppeteer browser from the installed `az2aws` package directory:
+
+    node <npm_global_node_modules>\az2aws\node_modules\puppeteer\install.mjs
 
-    node <node_modules_dir>/az2aws/node_modules/puppeteer/install.js
+For an npm global install, replace `<npm_global_node_modules>` with the output of `npm root -g`.
+If you installed az2aws with pnpm or another package manager, locate `puppeteer/install.mjs`
+under the installed `az2aws` package directory and run it with `node`.
 
 ### Docker
 
 Run az2aws with a volume mounted to your AWS configuration directory:
 
-    docker run --rm -it -v ~/.aws:/root/.aws az2aws/az2aws
+    docker run --rm -it -v ~/.aws:/root/.aws taiseiito1000/az2aws
 
 You can also install the docker-launch.sh script to your PATH:
 
@@ -108,10 +131,11 @@ https://snapcraft.io/az2aws
 | `--no-prompt` | Skip prompts, use defaults |
 | `--enable-chrome-network-service` | Enable Network Service (for 3XX redirects) |
 | `--no-verify-ssl` | Disable AWS SSL verification |
-| `--enable-chrome-seamless-sso` | Enable Azure AD Seamless SSO |
+| `--enable-chrome-seamless-sso` | Enable Microsoft Entra Seamless SSO |
 | `--no-disable-extensions` | Keep browser extensions enabled |
 | `--disable-gpu` | Disable GPU acceleration |
 | `--incognito` | Open the login flow in an incognito browser context |
+| `--credential-process` | Output credentials for AWS CLI credential_process |
 | `--version (-v)` | Show version number |
 
 ## Usage
@@ -148,11 +172,34 @@ Enable "Stay logged in" during configuration to use `--no-prompt` without storin
 helps avoid reusing an existing browser session, and it overrides any saved
 "Stay logged in" browser state for that run.
 
+#### AWS CLI credential_process
+
+Configure the profile first so it has the defaults needed for non-interactive
+login, then point AWS CLI at `az2aws`:
+
+    [profile myprofile]
+    credential_process = az2aws --profile myprofile --credential-process
+
+`--credential-process` uses the same non-interactive defaults as `--no-prompt`,
+so make sure the profile already has the role and other required values set.
+Standard output is reserved for the AWS CLI JSON payload, while human-readable
+status messages are written to stderr.
+
+Example stdout payload:
+
+    {
+      "Version": 1,
+      "AccessKeyId": "...",
+      "SecretAccessKey": "...",
+      "SessionToken": "...",
+      "Expiration": "2026-01-01T00:00:00.000Z"
+    }
+
 #### Environment Variables
 
 You can set defaults via environment variables (use with `--no-prompt`):
 
-- `AZURE_TENANT_ID` / `AZURE_APP_ID_URI` - Azure AD settings
+- `AZURE_TENANT_ID` / `AZURE_APP_ID_URI` - Microsoft Entra ID settings
 - `AZURE_DEFAULT_USERNAME` / `AZURE_DEFAULT_PASSWORD` - Credentials
 - `AZURE_DEFAULT_ROLE_ARN` / `AZURE_DEFAULT_DURATION_HOURS` - AWS role settings
 
@@ -192,10 +239,15 @@ Example:
     az2aws                    # Default profile
     az2aws --profile foo      # Named profile
     az2aws --mode gui         # Use browser UI (more reliable)
+    az2aws --mode debug       # Show the browser while az2aws still drives the flow
     az2aws --mode gui --incognito  # Open a fresh incognito login window
 
 You'll be prompted for username, password, and MFA if required. After login, use AWS CLI/SDKs as usual.
 
+`--mode gui` is fully manual and waits for you to complete the browser flow
+yourself. If you want the browser to stay visible while az2aws still auto-fills
+the login steps, use `--mode debug`.
+
 **Tips:**
 - Set `AWS_PROFILE` env var instead of using `--profile`
 - Use `--mode gui --disable-gpu` on VMs or if rendering fails
@@ -217,6 +269,13 @@ If you see device compliance errors (e.g., "Device UnSecured Or Non-Compliant"),
 Try:
  `--mode gui` and use your system Chrome via `BROWSER_CHROME_BIN`.
 
+If your Microsoft account requires a saved passkey prompt before the username
+or password page appears, that flow is unsupported in `az2aws --mode cli`.
+The prompt is rendered by the browser/OS passkey UI instead of the page DOM,
+so az2aws cannot dismiss it automatically. Use `--mode gui` and handle it
+manually, or use an account that can continue with the standard page-based
+username/password/MFA flow.
+
 If you see "Unable to recognize page state!", Azure's login pages may have
 changed. Try:
 
@@ -232,9 +291,25 @@ Renew all profiles at once:
 
 Credentials are only refreshed if expiring within 11 minutes - safe to run as a cron job.
 
+### Which profiles `--all-profiles` refreshes
+
+`--all-profiles` iterates every `[default]` / `[profile <name>]` section in
+`~/.aws/config` that has **at least one `azure_*` key** (e.g.
+`azure_tenant_id`, `azure_app_id_uri`, `azure_default_role_arn`). Sections
+without any `azure_*` key — plain AWS profiles, `[sso-session ...]`,
+`[services ...]` — are skipped.
+
+Profiles that intentionally keep `azure_tenant_id` / `azure_app_id_uri` in
+environment variables (`AZURE_TENANT_ID`, `AZURE_APP_ID_URI`) instead of
+the config file are still refreshed, as long as they have some other
+`azure_*` key on disk. If required values are missing even after the
+env-var merge, az2aws fails loudly with
+`Profile '<name>' is not configured properly.` rather than skipping
+silently.
+
 ## Getting Your Tenant ID and App ID URI
 
-Ask your Azure AD admin for these values, or extract them from myapps.microsoft.com:
+Ask your Microsoft Entra ID admin for these values, or extract them from myapps.microsoft.com:
 
 1. Load the myapps.microsoft.com page.
 2. Click the app tile for the login you want.
@@ -248,7 +323,7 @@ Ask your Azure AD admin for these values, or extract them from myapps.microsoft.
 
 ## How It Works
 
-az2aws uses [Puppeteer](https://github.com/GoogleChrome/puppeteer) to automate a Chromium browser for Azure AD login. It parses the SAML response and calls [AWS STS AssumeRoleWithSAML](http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials.
+az2aws uses [Puppeteer](https://github.com/puppeteer/puppeteer) to automate a Chromium browser for Microsoft Entra ID login. It parses the SAML response and calls [AWS STS AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) to get temporary credentials.
 
 ## Troubleshooting
 
@@ -260,7 +335,7 @@ If login fails, try these in order:
 
 ## Support for Other Authentication Providers
 
-This tool only supports Azure AD. Contributions for other SAML providers are welcome - open an issue on GitHub to discuss.
+This tool only supports Microsoft Entra ID. Contributions for other SAML providers are welcome - open an issue on GitHub to discuss.
 
 ## Acknowledgements
 

package/lib/awsConfig.js

@@ -9,9 +9,79 @@ const debug_1 = __importDefault(require("debug"));
 const paths_1 = require("./paths");
 const promises_1 = require("node:fs/promises");
 const fs_1 = __importDefault(require("fs"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const path_1 = __importDefault(require("path"));
 const util_1 = __importDefault(require("util"));
 const debug = (0, debug_1.default)("az2aws");
 const writeFile = util_1.default.promisify(fs_1.default.writeFile);
+const awsDirMode = 0o700;
+const awsFileMode = 0o600;
+const ignoredChmodErrorCodes = new Set([
+    "EACCES",
+    "EINVAL",
+    "ENOSYS",
+    "ENOTSUP",
+    "EPERM",
+    "EROFS",
+]);
+async function hardenPathPermissions(fsPath, mode) {
+    if (process.platform === "win32") {
+        return;
+    }
+    try {
+        await (0, promises_1.chmod)(fsPath, mode);
+    }
+    catch (error) {
+        const code = error.code;
+        if (typeof code === "string" && ignoredChmodErrorCodes.has(code)) {
+            debug(`Skipping permission hardening due to ${code}`);
+            return;
+        }
+        throw error;
+    }
+}
+async function hardenCreatedDirectories(createdDir, targetDir) {
+    const resolvedCreatedDir = path_1.default.resolve(createdDir);
+    const resolvedTargetDir = path_1.default.resolve(targetDir);
+    const relativeTargetDir = path_1.default.relative(resolvedCreatedDir, resolvedTargetDir);
+    if (relativeTargetDir === ".." ||
+        relativeTargetDir.startsWith(`..${path_1.default.sep}`) ||
+        path_1.default.isAbsolute(relativeTargetDir)) {
+        debug("Skipping permission hardening because the target directory is not within the created directory.");
+        return;
+    }
+    let currentDir = resolvedCreatedDir;
+    await hardenPathPermissions(currentDir, awsDirMode);
+    if (!relativeTargetDir) {
+        return;
+    }
+    for (const segment of relativeTargetDir.split(path_1.default.sep)) {
+        if (!segment || segment === ".") {
+            continue;
+        }
+        currentDir = path_1.default.join(currentDir, segment);
+        await hardenPathPermissions(currentDir, awsDirMode);
+    }
+}
+async function atomicWriteTextFile(targetPath, text) {
+    const targetDir = path_1.default.dirname(targetPath);
+    const tempPath = targetDir === "."
+        ? `.${path_1.default.basename(targetPath)}.${node_crypto_1.default.randomUUID()}.tmp`
+        : path_1.default.join(targetDir, `.${path_1.default.basename(targetPath)}.${node_crypto_1.default.randomUUID()}.tmp`);
+    let shouldCleanupTempPath = false;
+    try {
+        await writeFile(tempPath, text);
+        shouldCleanupTempPath = true;
+        await hardenPathPermissions(tempPath, awsFileMode);
+        await (0, promises_1.rename)(tempPath, targetPath);
+        shouldCleanupTempPath = false;
+    }
+    finally {
+        if (shouldCleanupTempPath) {
+            await (0, promises_1.rm)(tempPath, { force: true }).catch(() => undefined);
+        }
+    }
+}
 // Autorefresh credential time limit in milliseconds
 const refreshLimitInMs = 11 * 60 * 1000;
 exports.awsConfig = {
@@ -70,12 +140,45 @@ exports.awsConfig = {
         debug(`Received profiles: ${profiles.toString()}`);
         return profiles;
     },
+    async getAz2awsProfileNames() {
+        debug(`Getting az2aws-configured profiles from config.`);
+        const config = (await this._loadAsync("config")) || {};
+        const profiles = [];
+        for (const [sectionName, sectionConfig] of Object.entries(config)) {
+            let profileName;
+            if (sectionName === "default") {
+                profileName = "default";
+            }
+            else if (sectionName.startsWith("profile ")) {
+                profileName = sectionName.substring("profile ".length);
+            }
+            else {
+                debug(`Skipping non-profile section '${sectionName}'`);
+                continue;
+            }
+            // Treat a profile as az2aws-managed if it has at least one azure_* key.
+            // Required values (azure_tenant_id / azure_app_id_uri) may still be
+            // supplied by environment variables at runtime, so don't hard-require
+            // them in the config file.
+            const hasAzureKey = sectionConfig &&
+                typeof sectionConfig === "object" &&
+                Object.keys(sectionConfig).some((key) => key.startsWith("azure_"));
+            if (!hasAzureKey) {
+                debug(`Skipping profile '${profileName}' because it has no az2aws (azure_*) keys`);
+                continue;
+            }
+            profiles.push(profileName);
+        }
+        debug(`Received az2aws profiles: ${profiles.toString()}`);
+        return profiles;
+    },
     async _loadAsync(type) {
-        if (!paths_1.paths[type])
+        const targetPath = paths_1.paths[type];
+        if (!targetPath)
             throw new Error(`Unknown config type: '${type}'`);
         return new Promise((resolve, reject) => {
-            debug(`Loading '${type}' file at '${paths_1.paths[type]}'`);
-            fs_1.default.readFile(paths_1.paths[type], "utf8", (err, data) => {
+            debug(`Loading '${type}' file`);
+            fs_1.default.readFile(targetPath, "utf8", (err, data) => {
                 if (err) {
                     if (err.code === "ENOENT") {
                         debug(`File not found. Returning undefined.`);
@@ -86,23 +189,45 @@ exports.awsConfig = {
                     }
                 }
                 debug("Parsing data");
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any
                 const parsedIni = ini_1.default.parse(data);
-                // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
                 return resolve(parsedIni);
             });
         });
     },
     async _saveAsync(type, data) {
-        if (!paths_1.paths[type])
+        const targetPath = paths_1.paths[type];
+        if (!targetPath)
             throw new Error(`Unknown config type: '${type}'`);
         if (!data)
             throw new Error(`You must provide data for saving.`);
         debug(`Stringifying ${type} INI data`);
         const text = ini_1.default.stringify(data);
-        debug(`Creating AWS config directory '${paths_1.paths.awsDir}' if not exists.`);
-        await (0, promises_1.mkdir)(paths_1.paths.awsDir, { recursive: true });
-        debug(`Writing '${type}' INI to file '${paths_1.paths[type]}'`);
-        await writeFile(paths_1.paths[type], text);
+        const targetDir = path_1.default.dirname(targetPath);
+        const isDefaultAwsDir = path_1.default.resolve(targetDir) === path_1.default.resolve(paths_1.paths.awsDir);
+        if (targetDir !== ".") {
+            debug(`Creating target directory for '${type}' if it does not exist.`);
+            const createdDir = await (0, promises_1.mkdir)(targetDir, {
+                recursive: true,
+                mode: awsDirMode,
+            });
+            if (isDefaultAwsDir) {
+                await hardenPathPermissions(targetDir, awsDirMode);
+            }
+            else if (createdDir) {
+                await hardenCreatedDirectories(createdDir, targetDir);
+            }
+            else {
+                debug("Skipping directory permission hardening for existing custom directory.");
+            }
+        }
+        else {
+            debug(`Skipping target directory creation for '${type}' because it uses the current working directory.`);
+        }
+        debug(`Writing '${type}' INI to file atomically`);
+        await atomicWriteTextFile(targetPath, text);
+        // Defensive: atomicWriteTextFile already sets permissions on the temp file
+        // before rename, but we re-apply here in case rename semantics differ across
+        // platforms or file-systems.
+        await hardenPathPermissions(targetPath, awsFileMode);
     },
 };

package/lib/configureProfileAsync.js

@@ -5,8 +5,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.configureProfileAsync = configureProfileAsync;
 const inquirer_1 = __importDefault(require("inquirer"));
+const CLIError_1 = require("./CLIError");
 const awsConfig_1 = require("./awsConfig");
+const sessionDuration_1 = require("./sessionDuration");
 async function configureProfileAsync(profileName) {
+    var _a;
     console.log(`Configuring profile '${profileName}'`);
     const profile = await awsConfig_1.awsConfig.getProfileConfigAsync(profileName);
     const questions = [
@@ -54,13 +57,8 @@ async function configureProfileAsync(profileName) {
             type: "input",
             name: "defaultDurationHours",
             message: "Default Session Duration Hours (up to 12):",
-            default: (profile && profile.azure_default_duration_hours) || 1,
-            validate: (input) => {
-                const num = Number(input);
-                if (num > 0 && num <= 12)
-                    return true;
-                return "Duration hours must be between 1 and 12";
-            },
+            default: (_a = (0, sessionDuration_1.parseSessionDurationHours)(profile === null || profile === void 0 ? void 0 : profile.azure_default_duration_hours)) !== null && _a !== void 0 ? _a : 1,
+            validate: sessionDuration_1.validateSessionDurationHours,
         },
         {
             type: "input",
@@ -70,12 +68,16 @@ async function configureProfileAsync(profileName) {
         },
     ];
     const answers = await inquirer_1.default.prompt(questions);
+    const defaultDurationHours = (0, sessionDuration_1.parseSessionDurationHours)(answers.defaultDurationHours);
+    if (defaultDurationHours === null) {
+        throw new CLIError_1.CLIError(sessionDuration_1.sessionDurationHoursValidationMessage);
+    }
     await awsConfig_1.awsConfig.setProfileConfigValuesAsync(profileName, {
         azure_tenant_id: answers.tenantId,
         azure_app_id_uri: answers.appIdUri,
         azure_default_username: answers.username,
         azure_default_role_arn: answers.defaultRoleArn,
-        azure_default_duration_hours: answers.defaultDurationHours,
+        azure_default_duration_hours: String(defaultDurationHours),
         azure_default_remember_me: answers.rememberMe === "true",
         region: answers.region,
     });

package/lib/index.js

@@ -6,7 +6,9 @@ process.on("SIGTERM", () => process.exit(1));
 const commander_1 = require("commander");
 const configureProfileAsync_1 = require("./configureProfileAsync");
 const login_1 = require("./login");
+const sensitiveOutput_1 = require("./sensitiveOutput");
 const updateNotifier_1 = require("./updateNotifier");
+const validateCliOptions_1 = require("./validateCliOptions");
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const { version } = require("../package.json");
 const program = new commander_1.Command();
@@ -24,6 +26,7 @@ program
     .option("--enable-chrome-seamless-sso", "Enable Chromium's pass-through authentication with Azure Active Directory Seamless Single Sign-On")
     .option("--no-disable-extensions", "Tell Puppeteer not to pass the --disable-extensions flag to Chromium")
     .option("--disable-gpu", "Tell Puppeteer to pass the --disable-gpu flag to Chromium")
+    .option("--credential-process", "Output credentials in JSON format for AWS CLI credential_process")
     .option("--incognito", "Launch Chromium in incognito mode")
     .parse(process.argv);
 const options = program.opts();
@@ -39,6 +42,7 @@ const enableChromeSeamlessSso = !!options.enableChromeSeamlessSso;
 const forceRefresh = !!options.forceRefresh;
 const noDisableExtensions = !options.disableExtensions;
 const disableGpu = !!options.disableGpu;
+const credentialProcess = !!options.credentialProcess;
 const incognito = !!options.incognito;
 // Start the update lookup immediately, but only print after the main flow ends.
 const updateCheckPromise = (0, updateNotifier_1.checkForUpdate)(version, {
@@ -47,6 +51,11 @@ const updateCheckPromise = (0, updateNotifier_1.checkForUpdate)(version, {
 async function runAsync() {
     let exitCode = 0;
     try {
+        (0, validateCliOptions_1.validateCliOptions)({
+            allProfiles: !!options.allProfiles,
+            configure: !!options.configure,
+            credentialProcess,
+        });
         if (options.allProfiles) {
             await login_1.login.loginAll(mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, forceRefresh, noDisableExtensions, disableGpu, incognito);
         }
@@ -54,16 +63,20 @@ async function runAsync() {
             await (0, configureProfileAsync_1.configureProfileAsync)(profileName);
         }
         else {
-            await login_1.login.loginAsync(profileName, mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, noDisableExtensions, disableGpu, incognito);
+            await login_1.login.loginAsync(profileName, mode, disableSandbox, noPrompt, enableChromeNetworkService, awsNoVerifySsl, enableChromeSeamlessSso, noDisableExtensions, disableGpu, incognito, credentialProcess);
         }
     }
     catch (err) {
         if (err instanceof Error && err.name === "CLIError") {
-            console.error(err.message);
+            console.error((0, sensitiveOutput_1.formatCliErrorMessage)(err.message));
             exitCode = 2;
         }
+        else if (err instanceof Error) {
+            console.error((0, sensitiveOutput_1.formatUnexpectedErrorMessage)(err));
+            exitCode = 1;
+        }
         else {
-            console.error(err);
+            console.error((0, sensitiveOutput_1.formatUnexpectedErrorMessage)(err));
             exitCode = 1;
         }
     }