opal-security 2.3.4 → 3.0.1-beta.4262451

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/2.3.4 darwin-arm64 node-v18.19.0
+opal-security/3.0.1-beta.4262451 linux-x64 node-v20.19.0
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -35,15 +35,16 @@ USAGE
 <!-- commands -->
 * [`opal autocomplete [SHELL]`](#opal-autocomplete-shell)
 * [`opal aws:identity`](#opal-awsidentity)
+* [`opal clear-auth-provider`](#opal-clear-auth-provider)
 * [`opal curl-example`](#opal-curl-example)
 * [`opal help [COMMANDS]`](#opal-help-commands)
 * [`opal iam-roles:start`](#opal-iam-rolesstart)
 * [`opal kube-roles:start`](#opal-kube-rolesstart)
 * [`opal login`](#opal-login)
 * [`opal logout`](#opal-logout)
-* [`opal migrate-creds`](#opal-migrate-creds)
 * [`opal postgres-instances:start`](#opal-postgres-instancesstart)
 * [`opal resources:get`](#opal-resourcesget)
+* [`opal set-auth-provider`](#opal-set-auth-provider)
 * [`opal set-custom-header`](#opal-set-custom-header)
 * [`opal set-token`](#opal-set-token)
 * [`opal set-url [URL]`](#opal-set-url-url)
@@ -99,7 +100,27 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/aws/identity.ts)_
+
+## `opal clear-auth-provider`
+
+Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+
+```
+USAGE
+  $ opal clear-auth-provider [-h]
+
+FLAGS
+  -h, --help  Show CLI help.
+
+DESCRIPTION
+  Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+
+EXAMPLES
+  $ opal clear-auth-provider
+```
+
+_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/clear-auth-provider.ts)_
 
 ## `opal curl-example`
 
@@ -116,7 +137,7 @@ DESCRIPTION
   Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/curl-example.ts)_
+_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/curl-example.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -124,10 +145,10 @@ Display help for opal.
 
 ```
 USAGE
-  $ opal help [COMMANDS] [-n]
+  $ opal help [COMMANDS...] [-n]
 
 ARGUMENTS
-  COMMANDS  Command to show help for.
+  COMMANDS...  Command to show help for.
 
 FLAGS
   -n, --nested-commands  Include all nested commands in the output.
@@ -166,7 +187,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles:start`
 
@@ -197,7 +218,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -218,7 +239,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -238,24 +259,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/logout.ts)_
-
-## `opal migrate-creds`
-
-Migrates credentials from old keystore to new store. Should only need to be run once
-
-```
-USAGE
-  $ opal migrate-creds [-h]
-
-FLAGS
-  -h, --help  Show CLI help.
-
-DESCRIPTION
-  Migrates credentials from old keystore to new store. Should only need to be run once
-```
-
-_See code: [src/commands/migrate-creds.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/migrate-creds.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/logout.ts)_
 
 ## `opal postgres-instances:start`
 
@@ -263,7 +267,7 @@ Starts a session to connect to a Postgres database.
 
 ```
 USAGE
-  $ opal postgres-instances:start [-h] [-i <value>] [-a <value>] [-s <value>] [-r] [--action open|psql|view]
+  $ opal postgres-instances:start [-h] [-i <value>] [-a <value>] [-s <value>] [-r] [--action psql|view]
 
 FLAGS
   -a, --accessLevelRemoteId=<value>  The remote ID of the access level with which to access the resource.
@@ -275,10 +279,9 @@ FLAGS
   -s, --sessionId=<value>            The Opal ID of the session to connect to. Uses an existing session that was created
                                      via the web flow.
       --action=<option>              Method of connecting to the database.
-                                     - open: Open external database app
                                      - psql: Start psql session in shell
                                      - view: View connection configuration details
-                                     <options: open|psql|view>
+                                     <options: psql|view>
 
 DESCRIPTION
   Starts a session to connect to a Postgres database.
@@ -293,7 +296,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/postgres-instances/start.ts)_
 
 ## `opal resources:get`
 
@@ -314,7 +317,33 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/resources/get.ts)_
+
+## `opal set-auth-provider`
+
+Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+
+```
+USAGE
+  $ opal set-auth-provider --clientID <value> --issuerUrl <value> [-h]
+
+FLAGS
+  -h, --help               Show CLI help.
+      --clientID=<value>   (required) Client ID of your Auth Provider
+      --issuerUrl=<value>  (required) Issuer URL of your Auth Provider
+
+DESCRIPTION
+  Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.
+
+  Note - you will need an OIDC provider that supports the device_code grant.
+
+
+EXAMPLES
+  $ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com
+```
+
+_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/set-auth-provider.ts)_
 
 ## `opal set-custom-header`
 
@@ -335,7 +364,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -355,7 +384,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -379,7 +408,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/set-url.ts)_
 
 ## `opal ssh:copyFrom`
 
@@ -410,7 +439,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh:copyTo`
 
@@ -441,7 +470,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh:start`
 
@@ -468,7 +497,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v2.3.4/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.0.1-beta.4262451/src/commands/ssh/start.ts)_
 
 ## `opal version`
 

package/lib/commands/aws/identity.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class Identity extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/aws/identity.js

@@ -6,12 +6,12 @@ const flags_1 = require("../../lib/flags");
 class Identity extends core_1.Command {
     async run() {
         (0, cmd_1.setMostRecentCommand)(this);
-        const currentCallerIdentityCmd = 'aws sts get-caller-identity --profile opal';
+        const currentCallerIdentityCmd = "aws sts get-caller-identity --profile opal";
         (0, cmd_1.runCommandExec)(currentCallerIdentityCmd, 'This is the current caller identity for the "opal" AWS profile.', 'Failed to get the current caller identity for the "opal" AWS profile.');
     }
 }
 Identity.description = 'Gets the current caller identity for the "opal" AWS profile.';
-Identity.examples = ['opal aws:identity'];
+Identity.examples = ["opal aws:identity"];
 Identity.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };

package/lib/commands/{migrate-creds.d.ts → clear-auth-provider.d.ts}

@@ -1,6 +1,7 @@
-import { Command } from '@oclif/core';
-export default class MigrateCreds extends Command {
+import { Command } from "@oclif/core";
+export default class ClearAuthProvider extends Command {
     static description: string;
+    static examples: string[];
     static flags: {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
     };

package/lib/commands/clear-auth-provider.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const config_1 = require("../lib/config");
+const credentials_1 = require("../lib/credentials");
+const flags_1 = require("../lib/flags");
+class ClearAuthProvider extends core_1.Command {
+    async run() {
+        try {
+            const { flags, args } = await this.parse(ClearAuthProvider);
+            const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
+            configData.issuerURL = null;
+            configData.clientID = null;
+            (0, config_1.writeConfigData)(this.config.configDir, configData);
+            await (0, credentials_1.removeOpalCredentials)(this);
+            this.log("Client ID and Issuer URL reset to defaults");
+        }
+        catch (error) {
+            this.error(error);
+        }
+    }
+}
+ClearAuthProvider.description = "Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.";
+ClearAuthProvider.examples = ["$ opal clear-auth-provider"];
+ClearAuthProvider.flags = {
+    help: flags_1.SHARED_FLAGS.help,
+};
+exports.default = ClearAuthProvider;

package/lib/commands/curl-example.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class CurlExample extends Command {
     static description: string;
     static flags: {

package/lib/commands/curl-example.js

@@ -7,20 +7,27 @@ const flags_1 = require("../lib/flags");
 class CurlExample extends core_1.Command {
     async run() {
         const opalCreds = await (0, credentials_1.getOpalCredentials)(this);
-        const accessToken = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.accessToken;
+        const secret = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.secret;
         const organizationID = opalCreds === null || opalCreds === void 0 ? void 0 : opalCreds.organizationID;
         const configData = (0, config_1.getOrCreateConfigData)(this.config.configDir);
         const url = configData[config_1.urlKey];
+        let authStr = "";
+        if (opalCreds.secretType === credentials_1.SecretType.ApiToken) {
+            authStr = `Authorization: Bearer ${secret}`;
+        }
+        else {
+            authStr = `Cookie: ${secret}`;
+        }
         this.log(`
 curl -v ${url}/query \\
   --data-binary '{"query":"query ListSSHSessions {resources(input: {serviceType: SSH, onlyMine: true}) {... on ResourcesResult { resources { name } } } }"}' \\
   --header "Content-Type: application/json" \\
-  --header "Authorization: Bearer ${accessToken}" \\
+  --header "${authStr}" \\
   --header "X-Opal-Organization-ID: ${organizationID}"
 `);
     }
 }
-CurlExample.description = 'Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.';
+CurlExample.description = "Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.";
 CurlExample.flags = {
     help: flags_1.SHARED_FLAGS.help,
 };

package/lib/commands/iam-roles/start.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class StartIAMRoleSession extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/iam-roles/start.js

@@ -1,14 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
+const get_1 = require("../../commands/resources/get");
 const handler_1 = require("../../handler");
-const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
 const aws_1 = require("../../lib/aws");
+const cmd_1 = require("../../lib/cmd");
+const flags_1 = require("../../lib/flags");
 const resources_1 = require("../../lib/resources");
-const get_1 = require("../../commands/resources/get");
 const sessions_1 = require("../../lib/sessions");
-const flags_1 = require("../../lib/flags");
 const IamSessionMetadataFragment = `
 ... on AwsIamFederatedRoleSession {
   awsAccessKeyId
@@ -22,13 +22,13 @@ class StartIAMRoleSession extends core_1.Command {
         (0, cmd_1.setMostRecentCommand)(this);
         const { flags } = await this.parse(StartIAMRoleSession);
         if (flags.sessionId && flags.refresh) {
-            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, "Cannot use both --sessionId and --refresh");
         }
         let roleId = flags.id;
         let roleName = null;
         const sessionId = flags.sessionId;
         if (!roleId) {
-            const selectedRole = await (0, resources_1.promptUserForResource)(this, 'AWS_IAM_ROLE', 'Select an IAM role to assume');
+            const selectedRole = await (0, resources_1.promptUserForResource)(this, "AWS_IAM_ROLE", "Select an IAM role to assume");
             if (!selectedRole) {
                 return;
             }
@@ -36,7 +36,7 @@ class StartIAMRoleSession extends core_1.Command {
             roleName = selectedRole.name;
         }
         else {
-            const { resp, error } = await (0, handler_1.runQuery)({
+            const { resp, error } = await (0, handler_1.runQueryDeprecated)({
                 command: this,
                 query: get_1.GetResourceDocument,
                 variables: {
@@ -49,9 +49,9 @@ class StartIAMRoleSession extends core_1.Command {
             if (!(resp === null || resp === void 0 ? void 0 : resp.data.resource.resource)) {
                 return (0, apollo_1.handleError)(this, `Resource not found for ID: ${roleId}`);
             }
-            roleName = (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || 'iam-role';
+            roleName = (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || "iam-role";
         }
-        if (flags.profileName && flags.profileName !== '') {
+        if (flags.profileName && flags.profileName !== "") {
             roleName = flags.profileName;
         }
         const session = await (0, sessions_1.getOrCreateSession)(this, roleId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
@@ -60,10 +60,10 @@ class StartIAMRoleSession extends core_1.Command {
         }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
-            case 'AwsIamFederatedRoleSession': {
+            case "AwsIamFederatedRoleSession": {
                 const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const startSessionCmd = `${updateAwsConfigCommand}`;
-                const roleText = roleName ? `"${roleName}" role` : 'role';
+                const roleText = roleName ? `"${roleName}" role` : "role";
                 const expirationMessage = (0, sessions_1.getSessionExpirationMessage)(session);
                 (0, cmd_1.runCommandExec)(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${(0, aws_1.getAwsEnvVarMessage)()}`, `Failed to use ${roleText}.`);
                 break;
@@ -73,10 +73,10 @@ class StartIAMRoleSession extends core_1.Command {
         }
     }
 }
-StartIAMRoleSession.description = 'Starts a session to assume an IAM role.';
+StartIAMRoleSession.description = "Starts a session to assume an IAM role.";
 StartIAMRoleSession.examples = [
-    'opal iam-roles:start',
-    'opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398',
+    "opal iam-roles:start",
+    "opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
     'opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"',
 ];
 StartIAMRoleSession.flags = {
@@ -86,7 +86,7 @@ StartIAMRoleSession.flags = {
     refresh: flags_1.SHARED_FLAGS.refresh,
     profileName: core_1.Flags.string({
         multiple: false,
-        description: 'Uses a custom AWS profile name for the IAM role. Default value is the role\'s name.',
+        description: "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",
     }),
 };
 exports.default = StartIAMRoleSession;

package/lib/commands/kube-roles/start.d.ts

@@ -1,4 +1,4 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export default class StartKubeIAMRoleSession extends Command {
     static description: string;
     static examples: string[];

package/lib/commands/kube-roles/start.js

@@ -1,12 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const core_1 = require("@oclif/core");
-const cmd_1 = require("../../lib/cmd");
 const apollo_1 = require("../../lib/apollo");
 const aws_1 = require("../../lib/aws");
+const cmd_1 = require("../../lib/cmd");
+const flags_1 = require("../../lib/flags");
 const resources_1 = require("../../lib/resources");
 const sessions_1 = require("../../lib/sessions");
-const flags_1 = require("../../lib/flags");
 const EksSessionMetadataFragment = `
 ... on AwsIamFederatedEksSession {
   awsAccessKeyId
@@ -20,19 +20,19 @@ class StartKubeIAMRoleSession extends core_1.Command {
         (0, cmd_1.setMostRecentCommand)(this);
         const { flags } = await this.parse(StartKubeIAMRoleSession);
         if (flags.sessionId && flags.refresh) {
-            return (0, apollo_1.handleError)(this, 'Cannot use both --sessionId and --refresh');
+            return (0, apollo_1.handleError)(this, "Cannot use both --sessionId and --refresh");
         }
         let clusterId = flags.id;
         const sessionId = flags.sessionId;
         if (!clusterId) {
-            const selectedCluster = await (0, resources_1.promptUserForResource)(this, 'AWS_EKS_CLUSTER', 'Select an EKS Kubernetes cluster to connect to');
+            const selectedCluster = await (0, resources_1.promptUserForResource)(this, "AWS_EKS_CLUSTER", "Select an EKS Kubernetes cluster to connect to");
             if (!selectedCluster) {
                 return;
             }
             clusterId = selectedCluster.id;
         }
         // Fetch all access levels for resource
-        const accessLevel = await (0, resources_1.promptUserForAccessLevels)(this, clusterId, 'Kubernetes cluster', flags.accessLevelRemoteId);
+        const accessLevel = await (0, resources_1.promptUserForAccessLevels)(this, clusterId, "Kubernetes cluster", flags.accessLevelRemoteId);
         if (!accessLevel) {
             return;
         }
@@ -42,12 +42,12 @@ class StartKubeIAMRoleSession extends core_1.Command {
         }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
-            case 'AwsIamFederatedEksSession': {
+            case "AwsIamFederatedEksSession": {
                 const roleName = accessLevel.accessLevelName;
                 const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const updateKubeConfigCmd = `aws eks update-kubeconfig --name ${metadata.clusterName} --region ${metadata.clusterRegion} --alias ${metadata.clusterName} --profile opal`;
                 const startSessionCmd = `${updateAwsConfigCommand} && ${updateKubeConfigCmd}`;
-                const roleText = roleName ? `"${roleName}" role` : 'role';
+                const roleText = roleName ? `"${roleName}" role` : "role";
                 const expirationMessage = (0, sessions_1.getSessionExpirationMessage)(session);
                 (0, cmd_1.runCommandExec)(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${(0, aws_1.getAwsEnvVarMessage)()}`, `Failed to assume ${roleText} and update Kube config.`);
                 break;
@@ -57,10 +57,10 @@ class StartKubeIAMRoleSession extends core_1.Command {
         }
     }
 }
-StartKubeIAMRoleSession.description = 'Starts a session to assume a Kubernetes cluster IAM role.';
+StartKubeIAMRoleSession.description = "Starts a session to assume a Kubernetes cluster IAM role.";
 StartKubeIAMRoleSession.examples = [
-    'opal kube-roles:start',
-    'opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398',
+    "opal kube-roles:start",
+    "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
     'opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"',
 ];
 StartKubeIAMRoleSession.flags = {

package/lib/commands/login.d.ts

@@ -1,7 +1,8 @@
-import { Command } from '@oclif/core';
+import { Command } from "@oclif/core";
 export declare const CLISignInMethodName = "CLISignInMethod";
 export declare const CLIAuthSessionCheckName = "CLIAuthSessionCheck";
 export declare const CLIAuthSessionCheckDocument = "\nquery CLIAuthSessionCheck {\n  organizationSettings {\n      ... on OrganizationSettingsResult {\n        settings {\n          id\n        }\n      }\n  }\n}\n";
+export declare const CLITokenExchangeName = "CLITokenExchange";
 export default class Login extends Command {
     static description: string;
     static examples: string[];