opal-security 2.0.20 → 2.1.1

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (-v|--version|version)
-opal-security/2.0.20 darwin-x64 node-v14.16.1
+opal-security/2.1.1 darwin-x64 node-v14.16.1
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -45,7 +45,7 @@ USAGE
 * [`opal resources:get`](#opal-resourcesget)
 * [`opal set-custom-header`](#opal-set-custom-header)
 * [`opal set-token`](#opal-set-token)
-* [`opal set-url`](#opal-set-url)
+* [`opal set-url [URL]`](#opal-set-url-url)
 * [`opal ssh:copyFrom`](#opal-sshcopyfrom)
 * [`opal ssh:copyTo`](#opal-sshcopyto)
 * [`opal ssh:start`](#opal-sshstart)
@@ -88,7 +88,7 @@ EXAMPLE
   opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/aws/identity.ts)_
 
 ## `opal curl-example`
 
@@ -102,7 +102,7 @@ OPTIONS
   -h, --help  show CLI help
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/curl-example.ts)_
 
 ## `opal help [COMMAND]`
 
@@ -131,9 +131,16 @@ USAGE
 
 OPTIONS
   -h, --help                 show CLI help
-  --id=id                    The ID of the Opal role resource.
+
+  -i, --id=id                The Opal ID of the resource. You can find this from the URL, e.g.
+                             https://opal.dev/resources/[ID]
+
+  -r, --refresh              Starts a new session even if one already exists. Useful if a session is about to expire.
+
+  -s, --sessionId=sessionId  The Opal ID of the session to connect to. Uses an existing session that was created via the
+                             web flow.
+
   --profileName=profileName  Uses a custom AWS profile name for the IAM role. Default value is the role's name.
-  --sessionId=sessionId      SessionId of a session that has already been created via the web flow.
 
 EXAMPLES
   opal iam-roles:start
@@ -141,7 +148,7 @@ EXAMPLES
   opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -152,10 +159,17 @@ USAGE
   $ opal kube-roles:start
 
 OPTIONS
-  -h, --help                                 show CLI help
-  --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the cluster.
-  --id=id                                    The ID of the Opal role resource.
-  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
+  -a, --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the resource.
+  -h, --help                                     show CLI help
+
+  -i, --id=id                                    The Opal ID of the resource. You can find this from the URL, e.g.
+                                                 https://opal.dev/resources/[ID]
+
+  -r, --refresh                                  Starts a new session even if one already exists. Useful if a session is
+                                                 about to expire.
+
+  -s, --sessionId=sessionId                      The Opal ID of the session to connect to. Uses an existing session that
+                                                 was created via the web flow.
 
 EXAMPLES
   opal kube-roles:start
@@ -164,7 +178,7 @@ EXAMPLES
   "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -175,13 +189,14 @@ USAGE
   $ opal login
 
 OPTIONS
-  -h, --help  show CLI help
+  -h, --help     show CLI help
+  --email=email  Email address to login with.
 
 EXAMPLE
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -198,29 +213,42 @@ EXAMPLE
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
-Starts a session to query a Postgres database.
+Starts a session to connect to a Postgres database.
 
 ```
 USAGE
   $ opal postgres-instances:start
 
 OPTIONS
-  -h, --help                                 show CLI help
-  --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the database.
-  --id=id                                    The ID of the Opal instance resource.
-  --sessionId=sessionId                      SessionId of a session that has already been created via the web flow.
+  -a, --accessLevelRemoteId=accessLevelRemoteId  The remote ID of the access level with which to access the resource.
+  -h, --help                                     show CLI help
+
+  -i, --id=id                                    The Opal ID of the resource. You can find this from the URL, e.g.
+                                                 https://opal.dev/resources/[ID]
+
+  -r, --refresh                                  Starts a new session even if one already exists. Useful if a session is
+                                                 about to expire.
+
+  -s, --sessionId=sessionId                      The Opal ID of the session to connect to. Uses an existing session that
+                                                 was created via the web flow.
+
+  --action=open|psql|view                        Method of connecting to the database.
+                                                 - open: Open external database app
+                                                 - psql: Start psql session in shell
+                                                 - view: View connection configuration details
 
 EXAMPLES
   opal postgres-instances:start
   opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398
-  opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "fullaccess"
+  opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess
+  opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -231,14 +259,14 @@ USAGE
   $ opal resources:get
 
 OPTIONS
-  -h, --help  show CLI help
-  --id=id     (required)
+  -h, --help   show CLI help
+  -i, --id=id  The Opal ID of the resource. You can find this from the URL, e.g. https://opal.dev/resources/[ID]
 
 EXAMPLE
   opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/resources/get.ts)_
 
 ## `opal set-custom-header`
 
@@ -256,7 +284,7 @@ EXAMPLE
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -273,31 +301,28 @@ EXAMPLE
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/set-token.ts)_
 
-## `opal set-url`
+## `opal set-url [URL]`
 
 Sets the url of the Opal server. Defaults to https://app.opal.dev.
 
 ```
 USAGE
-  $ opal set-url
+  $ opal set-url [URL]
+
+ARGUMENTS
+  URL  URL of the Opal server to use. If unspecified, defaults to https://app.opal.dev
 
 OPTIONS
   -h, --help              show CLI help
   --allowSelfSignedCerts
-  --custom=custom
-  --demo
-  --dev
-  --devLocal
-  --prod
-  --staging
 
 EXAMPLE
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -308,23 +333,28 @@ USAGE
   $ opal ssh:copyFrom
 
 OPTIONS
-  -h, --help             show CLI help
-  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
-  --id=id                The ID of the Opal instance resource.
-  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
+  -h, --help                 show CLI help
+
+  -i, --id=id                The Opal ID of the resource. You can find this from the URL, e.g.
+                             https://opal.dev/resources/[ID]
 
-  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
-                         support one file or directory at a time.
+  -s, --sessionId=sessionId  The Opal ID of the session to connect to. Uses an existing session that was created via the
+                             web flow.
 
-  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
-                         have access to each other's home directory.
+  --dest=dest                [default: .] The directory you want your files to be copied to.
+
+  --src=src                  (required) The directory or file you would like to copy over SCP. Note we only support one
+                             file or directory at a time.
+
+  --user=user                [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
+                             access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyFrom --src instance/dir --dest my/dir
   opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -335,41 +365,52 @@ USAGE
   $ opal ssh:copyTo
 
 OPTIONS
-  -h, --help             show CLI help
-  --dest=dest            [default: .] Pick which directory you want your files to be copied to.
-  --id=id                The ID of the Opal instance resource.
-  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
+  -h, --help                 show CLI help
 
-  --src=src              (required) The path of the directory or file you would like to copy over SCP. Note we only
-                         support one file or directory at a time.
+  -i, --id=id                The Opal ID of the resource. You can find this from the URL, e.g.
+                             https://opal.dev/resources/[ID]
 
-  --user=user            [default: ssm-user] Pick which user you want to run SCP over. Keep in mind not all users will
-                         have access to each other's home directory.
+  -s, --sessionId=sessionId  The Opal ID of the session to connect to. Uses an existing session that was created via the
+                             web flow.
+
+  --dest=dest                [default: .] The directory you want your files to be copied to.
+
+  --src=src                  (required) The directory or file you would like to copy over SCP. Note we only support one
+                             file or directory at a time.
+
+  --user=user                [default: ssm-user] The user you want to run SCP over. Keep in mind not all users will have
+                             access to each other's home directory.
 
 EXAMPLES
   opal ssh:copyTo --src my/dir --dest instance/dir
   opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
-Start an SSH session to access a particular compute instance.
+Starts an SSH session to access a compute instance.
 
 ```
 USAGE
   $ opal ssh:start
 
 OPTIONS
-  -h, --help             show CLI help
-  --id=id                The ID of the Opal instance resource.
-  --sessionId=sessionId  SessionId of a session that has already been created via the web flow.
+  -h, --help                 show CLI help
+
+  -i, --id=id                The Opal ID of the resource. You can find this from the URL, e.g.
+                             https://opal.dev/resources/[ID]
+
+  -r, --refresh              Starts a new session even if one already exists. Useful if a session is about to expire.
+
+  -s, --sessionId=sessionId  The Opal ID of the session to connect to. Uses an existing session that was created via the
+                             web flow.
 
 EXAMPLES
   opal ssh:start
   opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.0.20/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.1.1/src/commands/ssh/start.ts)_
 <!-- commandsstop -->

package/lib/commands/aws/identity.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const command_1 = require("@oclif/command");
 const cmd_1 = require("../../lib/cmd");
+const flags_1 = require("../../lib/flags");
 class Identity extends command_1.Command {
     async run() {
         cmd_1.setMostRecentCommand(this);
@@ -13,5 +14,5 @@ exports.default = Identity;
 Identity.description = 'Gets the current caller identity for the "opal" AWS profile.';
 Identity.examples = ['opal aws:identity'];
 Identity.flags = {
-    help: command_1.flags.help({ char: 'h' }),
+    help: flags_1.SHARED_FLAGS.help,
 };

package/lib/commands/curl-example.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const command_1 = require("@oclif/command");
 const config_1 = require("../lib/config");
 const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
 class CurlExample extends command_1.Command {
     async run() {
         const accessToken = await credentials_1.cred.accessToken;
@@ -21,5 +22,5 @@ curl -v ${url}/query \\
 exports.default = CurlExample;
 CurlExample.description = 'Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.';
 CurlExample.flags = {
-    help: command_1.flags.help({ char: 'h' }),
+    help: flags_1.SHARED_FLAGS.help,
 };

package/lib/commands/iam-roles/start.d.ts

@@ -6,6 +6,7 @@ export default class StartIAMRoleSession extends Command {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
         id: flags.IOptionFlag<string | undefined>;
         sessionId: flags.IOptionFlag<string | undefined>;
+        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
         profileName: flags.IOptionFlag<string | undefined>;
     };
     run(): Promise<void>;

package/lib/commands/iam-roles/start.js

@@ -4,160 +4,69 @@ const command_1 = require("@oclif/command");
 const handler_1 = require("../../handler");
 const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
-const inquirer = require("inquirer");
 const aws_1 = require("../../lib/aws");
 const resources_1 = require("../../lib/resources");
 const get_1 = require("../../commands/resources/get");
-const common_1 = require("../../lib/common");
-const StartIAMRoleSessionDocument = `
-mutation StartIAMRoleSession($id: ResourceId!, $accessLevel: ResourceAccessLevelInput!, $sessionId: SessionId) {
-  createSession(input: {resourceId: $id, accessLevel: $accessLevel, sessionId: $sessionId}) {
-    __typename
-    ... on CreateSessionResult {
-      session {
-        id
-        endTime
-        metadata {
-          ... on AwsIamFederatedRoleSession {
-            awsAccessKeyId
-            awsSecretAccessKey
-            awsSessionToken
-            awsLoginUrl
-            federatedArn
-          }
-        }
-      }
-    }
-    ... on SessionNotFoundError {
-      message
-    }
-    ... on MfaInvalidError {
-      message
-    }
-    ... on OidcIDTokenNotFoundError {
-      message
-    }
-    ... on ResourceNotFoundError {
-      message
-    }
-    ... on EndSystemAuthorizationError {
-      message
-    }
-  }
-}`;
-const ListIamRolesDocument = `
-query ListIAMRoles {
-  resources(input: {resourceTypes: [AWS_IAM_ROLE], onlyMine: true, maxNumEntries: 1000}) {
-    __typename
-    ... on ResourcesResult {
-      resources {
-        name
-        id
-      }
-      cursor
-    }
-  }
+const sessions_1 = require("../../lib/sessions");
+const flags_1 = require("../../lib/flags");
+const IamSessionMetadataFragment = `
+... on AwsIamFederatedRoleSession {
+  awsAccessKeyId
+  awsSecretAccessKey
+  awsSessionToken
+  awsLoginUrl
+  federatedArn
 }`;
 class StartIAMRoleSession extends command_1.Command {
     async run() {
         cmd_1.setMostRecentCommand(this);
         const { flags } = this.parse(StartIAMRoleSession);
+        if (flags.sessionId && flags.refresh) {
+            return apollo_1.handleError(this, 'Cannot use both --sessionId and --refresh');
+        }
         let roleId = flags.id;
         let roleName = null;
         const sessionId = flags.sessionId;
         if (!roleId) {
-            const { resp: iamRolesResp, error } = await handler_1.runQuery({
-                command: this,
-                query: ListIamRolesDocument,
-                variables: {},
-            });
-            if (error) {
-                apollo_1.printRequestOutput(this, iamRolesResp, error);
-                return;
-            }
-            const resourceInfos = iamRolesResp === null || iamRolesResp === void 0 ? void 0 : iamRolesResp.data.resources.resources.map((resource) => {
-                return {
-                    id: resource.id,
-                    name: resource.name,
-                };
-            });
-            const noResourcesFound = resources_1.resourcesAreEmpty(this, resourceInfos);
-            if (noResourcesFound) {
+            const selectedRole = await resources_1.promptUserForResource(this, 'AWS_IAM_ROLE', 'Select an IAM role to assume');
+            if (!selectedRole) {
                 return;
             }
-            const resourceInfoByName = {};
-            resourceInfos.forEach(resourceInfo => {
-                resourceInfoByName[resourceInfo.name] = resourceInfo;
-            });
-            inquirer.registerPrompt('autocomplete', require('inquirer-autocomplete-prompt'));
-            const selectedIamRoleInfo = await inquirer.prompt([
-                {
-                    name: 'role',
-                    message: 'Select an IAM role to assume',
-                    type: 'autocomplete',
-                    source: (answers, input) => cmd_1.filterChoices(input, resourceInfos),
-                },
-            ]);
-            const selectedIamRole = resourceInfoByName[selectedIamRoleInfo.role];
-            if (!selectedIamRole) {
-                return;
-            }
-            roleId = selectedIamRole.id;
-            roleName = selectedIamRole.name;
+            roleId = selectedRole.id;
+            roleName = selectedRole.name;
         }
         else {
-            const { resp: sshInstanceResp, error } = await handler_1.runQuery({
+            const { resp, error } = await handler_1.runQuery({
                 command: this,
                 query: get_1.GetResourceDocument,
                 variables: {
                     id: roleId,
                 },
             });
-            if (error || !(sshInstanceResp === null || sshInstanceResp === void 0 ? void 0 : sshInstanceResp.data.resource.resource)) {
-                apollo_1.printRequestOutput(this, sshInstanceResp, error);
-                return;
+            if (error) {
+                return apollo_1.handleError(this, error, resp);
             }
-            roleName = (sshInstanceResp === null || sshInstanceResp === void 0 ? void 0 : sshInstanceResp.data.resource.resource.name) || 'iam-role';
+            if (!(resp === null || resp === void 0 ? void 0 : resp.data.resource.resource)) {
+                return apollo_1.handleError(this, `Resource not found for ID: ${roleId}`);
+            }
+            roleName = (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || 'iam-role';
         }
         if (flags.profileName && flags.profileName !== '') {
             roleName = flags.profileName;
         }
-        const { resp, error } = await handler_1.runMutation({
-            command: this,
-            query: StartIAMRoleSessionDocument,
-            variables: {
-                id: roleId,
-                accessLevel: cmd_1.DEFAULT_ACCESS_LEVEL,
-                sessionId: sessionId,
-            },
-        });
-        switch (resp === null || resp === void 0 ? void 0 : resp.data.createSession.__typename) {
-            case 'CreateSessionResult': {
-                const metadata = resp.data.createSession.session.metadata;
-                switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
-                    case 'AwsIamFederatedRoleSession': {
-                        const updateAwsConfigCommand = aws_1.getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
-                        const startSessionCmd = `${updateAwsConfigCommand}`;
-                        const awsEnvVarMessage = aws_1.getAwsEnvVarMessage();
-                        cmd_1.runCommandExec(startSessionCmd, `Now set to use ${roleName ? `"${roleName}" role` : 'role'}.${awsEnvVarMessage}`, `Failed to use ${roleName ? `"${roleName}" role` : 'role'}.`);
-                        this.log();
-                        break;
-                    }
-                    default:
-                        apollo_1.printRequestOutput(this, resp, error);
-                }
-                break;
-            }
-            case 'MfaInvalidError': {
-                common_1.handleMfaRedirect(this, roleId);
-                break;
-            }
-            case 'OidcIDTokenNotFoundError': {
-                common_1.handleOidcRedirect(this, roleId);
+        const session = await sessions_1.getOrCreateSession(this, roleId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
+        const metadata = session.metadata;
+        switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
+            case 'AwsIamFederatedRoleSession': {
+                const updateAwsConfigCommand = aws_1.getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                const startSessionCmd = `${updateAwsConfigCommand}`;
+                const roleText = roleName ? `"${roleName}" role` : 'role';
+                const expirationMessage = sessions_1.getSessionExpirationMessage(session);
+                cmd_1.runCommandExec(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${aws_1.getAwsEnvVarMessage()}`, `Failed to use ${roleText}.`);
                 break;
             }
             default:
-                apollo_1.printRequestOutput(this, resp, error);
+                return apollo_1.handleError(this, undefined, session);
         }
     }
 }
@@ -169,17 +78,12 @@ StartIAMRoleSession.examples = [
     'opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"',
 ];
 StartIAMRoleSession.flags = {
-    help: command_1.flags.help({ char: 'h' }),
-    id: command_1.flags.string({
-        multiple: false,
-        description: 'The ID of the Opal role resource.',
-    }),
-    sessionId: command_1.flags.string({
-        multiple: false,
-        description: 'SessionId of a session that has already been created via the web flow.',
-    }),
+    help: flags_1.SHARED_FLAGS.help,
+    id: flags_1.SHARED_FLAGS.id,
+    sessionId: flags_1.SHARED_FLAGS.sessionId,
+    refresh: flags_1.SHARED_FLAGS.refresh,
     profileName: command_1.flags.string({
         multiple: false,
-        description: "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",
+        description: 'Uses a custom AWS profile name for the IAM role. Default value is the role\'s name.',
     }),
 };

package/lib/commands/kube-roles/start.d.ts

@@ -1,12 +1,13 @@
-import { Command, flags } from '@oclif/command';
+import { Command } from '@oclif/command';
 export default class StartKubeIAMRoleSession extends Command {
     static description: string;
     static examples: string[];
     static flags: {
         help: import("@oclif/parser/lib/flags").IBooleanFlag<void>;
-        id: flags.IOptionFlag<string | undefined>;
-        accessLevelRemoteId: flags.IOptionFlag<string | undefined>;
-        sessionId: flags.IOptionFlag<string | undefined>;
+        id: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
+        accessLevelRemoteId: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
+        sessionId: import("@oclif/command/lib/flags").IOptionFlag<string | undefined>;
+        refresh: import("@oclif/parser/lib/flags").IBooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }