az2aws 1.8.1 → 1.9.1

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [1.9.1](https://github.com/kuma0128/az2aws/compare/v1.9.0...v1.9.1) (2026-06-16)
+
+
+### Bug Fixes
+
+* **deps:** bump commander from 14.0.3 to 15.0.0 ([f07f11b](https://github.com/kuma0128/az2aws/commit/f07f11b82cdfffb9b990c8058f4b2a01e3bcf35b))
+
+## [1.9.0](https://github.com/kuma0128/az2aws/compare/v1.8.1...v1.9.0) (2026-05-21)
+
+
+### Features
+
+* Enable Stay logged in by default ([#222](https://github.com/kuma0128/az2aws/issues/222)) ([7c027dc](https://github.com/kuma0128/az2aws/commit/7c027dcad1b5d40b35e74e39844d2157137468e8))
+* suggest gui mode when cli login stalls ([#215](https://github.com/kuma0128/az2aws/issues/215)) ([f4a5850](https://github.com/kuma0128/az2aws/commit/f4a58504b0802d39781abf2352f70a81248ac08e))
+* support azaws-compatible profiles ([#214](https://github.com/kuma0128/az2aws/issues/214)) ([20f1ecb](https://github.com/kuma0128/az2aws/commit/20f1ecbb0926f24bb6bba166b97eb10b39d91c95))
+
 ## [1.8.1](https://github.com/kuma0128/az2aws/compare/v1.8.0...v1.8.1) (2026-05-07)
 
 

package/README.md

@@ -120,23 +120,23 @@ https://snapcraft.io/az2aws
 
 ## Command Options
 
-| Option | Description |
-|--------|-------------|
-| `--profile (-p)` | Profile name to use. Default: `default` or `AWS_PROFILE` |
-| `--all-profiles (-a)` | Run for all configured profiles |
-| `--force-refresh (-f)` | Force refresh even if credentials are valid |
-| `--configure (-c)` | Configure the profile |
-| `--mode (-m) <mode>` | `cli` (default), `gui`, or `debug` |
-| `--no-sandbox` | Disable Puppeteer sandbox (needed on Linux) |
-| `--no-prompt` | Skip prompts, use defaults |
-| `--enable-chrome-network-service` | Enable Network Service (for 3XX redirects) |
-| `--no-verify-ssl` | Disable AWS SSL verification |
-| `--enable-chrome-seamless-sso` | Enable Microsoft Entra Seamless SSO |
-| `--no-disable-extensions` | Keep browser extensions enabled |
-| `--disable-gpu` | Disable GPU acceleration |
-| `--incognito` | Open the login flow in an incognito browser context |
-| `--credential-process` | Output credentials for AWS CLI credential_process |
-| `--version (-v)` | Show version number |
+| Option                            | Description                                              |
+| --------------------------------- | -------------------------------------------------------- |
+| `--profile (-p)`                  | Profile name to use. Default: `default` or `AWS_PROFILE` |
+| `--all-profiles (-a)`             | Run for all configured profiles                          |
+| `--force-refresh (-f)`            | Force refresh even if credentials are valid              |
+| `--configure (-c)`                | Configure the profile                                    |
+| `--mode (-m) <mode>`              | `cli` (default), `gui`, or `debug`                       |
+| `--no-sandbox`                    | Disable Puppeteer sandbox (needed on Linux)              |
+| `--no-prompt`                     | Skip prompts, use defaults                               |
+| `--enable-chrome-network-service` | Enable Network Service (for 3XX redirects)               |
+| `--no-verify-ssl`                 | Disable AWS SSL verification                             |
+| `--enable-chrome-seamless-sso`    | Enable Microsoft Entra Seamless SSO                      |
+| `--no-disable-extensions`         | Keep browser extensions enabled                          |
+| `--disable-gpu`                   | Disable GPU acceleration                                 |
+| `--incognito`                     | Open the login flow in an incognito browser context      |
+| `--credential-process`            | Output credentials for AWS CLI credential_process        |
+| `--version (-v)`                  | Show version number                                      |
 
 ## Usage
 
@@ -163,7 +163,8 @@ standard partition.
 
 #### Stay Logged In
 
-Enable "Stay logged in" during configuration to use `--no-prompt` without storing passwords:
+New profiles enable "Stay logged in" by default during configuration. This lets
+`az2aws` refresh AWS credentials with `--no-prompt` without storing passwords:
 
     az2aws --no-prompt
     az2aws --profile foo --no-prompt
@@ -195,13 +196,39 @@ Example stdout payload:
       "Expiration": "2026-01-01T00:00:00.000Z"
     }
 
+#### azaws compatibility
+
+az2aws can reuse AWS CLI profiles created by the `azaws` OSS tool, such as
+[`frontchug/azaws`](https://github.com/frontchug/azaws):
+
+    [profile azaws-prod]
+    azure_tenant_id = 00000000-0000-0000-0000-000000000000
+    azure_app_id = `https://signin.aws.amazon.com/saml#example-prod`
+    azure_duration_hours = 12
+    region = ap-northeast-1
+
+    az2aws --profile azaws-prod
+
+For azaws compatibility, az2aws accepts `azure_app_id` as an alias for
+`azure_app_id_uri` and `azure_duration_hours` as an alias for
+`azure_default_duration_hours`.
+
+If the profile can return multiple SAML roles, add `azure_default_role_arn` to
+make non-interactive runs deterministic:
+
+    [profile azaws-prod]
+    azure_tenant_id = 00000000-0000-0000-0000-000000000000
+    azure_app_id = https://signin.aws.amazon.com/saml#example-prod
+    azure_default_role_arn = arn:aws:iam::123456789012:role/Az2awsSourceRole
+    azure_duration_hours = 12
+
 #### Environment Variables
 
 You can set defaults via environment variables (use with `--no-prompt`):
 
-- `AZURE_TENANT_ID` / `AZURE_APP_ID_URI` - Microsoft Entra ID settings
+- `AZURE_TENANT_ID` / `AZURE_APP_ID_URI` (`AZURE_APP_ID` alias) - Microsoft Entra ID settings
 - `AZURE_DEFAULT_USERNAME` / `AZURE_DEFAULT_PASSWORD` - Credentials
-- `AZURE_DEFAULT_ROLE_ARN` / `AZURE_DEFAULT_DURATION_HOURS` - AWS role settings
+- `AZURE_DEFAULT_ROLE_ARN` / `AZURE_DEFAULT_DURATION_HOURS` (`AZURE_DURATION_HOURS` alias) - AWS role settings
 
 When using `--no-prompt` with multiple available roles, you must set
 `AZURE_DEFAULT_ROLE_ARN` (or configure `azure_default_role_arn`) so the CLI can
@@ -249,6 +276,7 @@ yourself. If you want the browser to stay visible while az2aws still auto-fills
 the login steps, use `--mode debug`.
 
 **Tips:**
+
 - Set `AWS_PROFILE` env var instead of using `--profile`
 - Use `--mode gui --disable-gpu` on VMs or if rendering fails
 - Set `https_proxy` or `http_proxy` env var for corporate proxy
@@ -267,7 +295,7 @@ incompatibility manually (e.g., update az2aws, or use a different
 
 If you see device compliance errors (e.g., "Device UnSecured Or Non-Compliant"),
 Try:
- `--mode gui` and use your system Chrome via `BROWSER_CHROME_BIN`.
+`--mode gui` and use your system Chrome via `BROWSER_CHROME_BIN`.
 
 If your Microsoft account requires a saved passkey prompt before the username
 or password page appears, that flow is unsupported in `az2aws --mode cli`.

package/lib/configureProfileAsync.js

@@ -25,7 +25,7 @@ async function configureProfileAsync(profileName) {
             name: "appIdUri",
             message: "Azure App ID URI:",
             validate: (input) => input.trim().length > 0,
-            default: profile && profile.azure_app_id_uri,
+            default: profile && (profile.azure_app_id_uri || profile.azure_app_id),
         },
         {
             type: "input",
@@ -37,10 +37,9 @@ async function configureProfileAsync(profileName) {
             type: "input",
             name: "rememberMe",
             message: "Stay logged in: skip authentication while refreshing aws credentials (true|false)",
-            default: (profile &&
-                profile.azure_default_remember_me &&
-                profile.azure_default_remember_me.toString()) ||
-                "false",
+            default: (profile === null || profile === void 0 ? void 0 : profile.azure_default_remember_me) === undefined
+                ? "true"
+                : profile.azure_default_remember_me.toString(),
             validate: (input) => {
                 if (input === "true" || input === "false")
                     return true;

package/lib/login.js

@@ -26,6 +26,7 @@ const debug = (0, debug_1.default)("az2aws");
 const WIDTH = 425;
 const HEIGHT = 550;
 const DELAY_ON_UNRECOGNIZED_PAGE = 1000;
+const GUI_FALLBACK_HINT_DELAY = 15 * 1000;
 const MAX_UNRECOGNIZED_PAGE_DELAY = 30 * 1000;
 // source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#google-chrome-all-platforms
 const AZURE_AD_SSO = "autologon.microsoftazuread-sso.com";
@@ -52,6 +53,9 @@ function handleBackgroundPromise(promise, description) {
         debug(`${description}: ${message}`);
     });
 }
+function printGuiFallbackHint() {
+    console.log("Login is taking longer than expected. If a browser prompt such as certificate selection is waiting for input, stop this run and retry with --mode=gui.");
+}
 exports.login = {
     async _createHttpsProxyAgentAsync(proxyUrl, proxyOptions) {
         const { HttpsProxyAgent } = await importHttpsProxyAgent();
@@ -137,10 +141,12 @@ exports.login = {
         const options = [
             "azure_tenant_id",
             "azure_app_id_uri",
+            "azure_app_id",
             "azure_default_username",
             "azure_default_password",
             "azure_default_role_arn",
             "azure_default_duration_hours",
+            "azure_duration_hours",
         ];
         for (let i = 0; i < options.length; i++) {
             const opt = options[i];
@@ -170,17 +176,60 @@ exports.login = {
         }
         return `${match[1]}${REDACTED}:${match[2]}${REDACTED}`;
     },
+    _getProfileStringValue(profile, key) {
+        const value = profile[key];
+        if (typeof value !== "string") {
+            return "";
+        }
+        const trimmedValue = value.trim();
+        if (trimmedValue.length < 2) {
+            return trimmedValue;
+        }
+        const firstChar = trimmedValue[0];
+        const lastChar = trimmedValue[trimmedValue.length - 1];
+        const quotePairs = {
+            '"': '"',
+            "'": "'",
+            "`": "`",
+        };
+        const unquotedValue = quotePairs[firstChar] === lastChar
+            ? trimmedValue.slice(1, -1).trim()
+            : trimmedValue;
+        return unquotedValue.replace(/\\#/g, "#");
+    },
+    _normalizeProfileAliases(profile) {
+        const normalizedProfile = { ...profile };
+        const appIdUri = this._getProfileStringValue(normalizedProfile, "azure_app_id_uri");
+        const appId = this._getProfileStringValue(normalizedProfile, "azure_app_id");
+        if (appIdUri) {
+            normalizedProfile.azure_app_id_uri = appIdUri;
+        }
+        else if (appId) {
+            normalizedProfile.azure_app_id_uri = appId;
+        }
+        const defaultDurationHours = this._getProfileStringValue(normalizedProfile, "azure_default_duration_hours");
+        const durationHours = this._getProfileStringValue(normalizedProfile, "azure_duration_hours");
+        if (defaultDurationHours) {
+            normalizedProfile.azure_default_duration_hours = defaultDurationHours;
+        }
+        else if (durationHours) {
+            normalizedProfile.azure_default_duration_hours = durationHours;
+        }
+        return normalizedProfile;
+    },
     // Load the profile
     async _loadProfileAsync(profileName) {
-        const profile = await awsConfig_1.awsConfig.getProfileConfigAsync(profileName);
-        if (!profile)
+        const rawProfile = await awsConfig_1.awsConfig.getProfileConfigAsync(profileName);
+        if (!rawProfile)
             throw new CLIError_1.CLIError(`Unknown profile '${profileName}'. You must configure it first with --configure.`);
+        let profile = this._normalizeProfileAliases(rawProfile);
         const env = this._loadProfileFromEnv();
         for (const prop in env) {
             if (env[prop]) {
                 profile[prop] = env[prop] === null ? profile[prop] : env[prop];
             }
         }
+        profile = this._normalizeProfileAliases(profile);
         if (!profile.azure_tenant_id || !profile.azure_app_id_uri)
             throw new CLIError_1.CLIError(`Profile '${profileName}' is not configured properly.`);
         console.log(`Logging in with profile '${profileName}'...`);
@@ -380,9 +429,17 @@ exports.login = {
             }
             if (cliProxy) {
                 let totalUnrecognizedDelay = 0;
+                let passwordSubmittedAt;
+                let hasPrintedGuiFallbackHint = false;
                 for (;;) {
                     if (samlResponseData)
                         break;
+                    if (passwordSubmittedAt !== undefined &&
+                        !hasPrintedGuiFallbackHint &&
+                        Date.now() - passwordSubmittedAt > GUI_FALLBACK_HINT_DELAY) {
+                        printGuiFallbackHint();
+                        hasPrintedGuiFallbackHint = true;
+                    }
                     let foundState = false;
                     for (let i = 0; i < loginStates_1.states.length; i++) {
                         const state = loginStates_1.states[i];
@@ -406,6 +463,9 @@ exports.login = {
                                 state.handler(page, selected, noPrompt, defaultUsername, defaultPassword, useRememberMe, allowSensitiveStateOutput),
                             ]);
                             debug(`Finished state: ${state.name}`);
+                            if (state.name === "password input") {
+                                passwordSubmittedAt = Date.now();
+                            }
                             break;
                         }
                     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "az2aws",
-  "version": "1.8.1",
+  "version": "1.9.1",
   "description": "Use Azure AD SSO to log into the AWS CLI. A modern, actively maintained alternative to aws-azure-login.",
   "main": "lib/index.js",
   "author": {
@@ -69,12 +69,12 @@
     "@aws-sdk/client-sts": "^3.1009.0",
     "@smithy/node-http-handler": "^4.4.16",
     "cheerio": "^1.2.0",
-    "commander": "^14.0.3",
+    "commander": "^15.0.0",
     "debug": "^4.4.3",
     "https-proxy-agent": "^9.0.0",
     "ini": "^6.0.0",
-    "inquirer": "^13.4.0",
-    "puppeteer": "^24.39.1"
+    "inquirer": "^14.0.1",
+    "puppeteer": "^25.1.0"
   },
   "devDependencies": {
     "@types/debug": "^4.1.12",