opal-security 3.2.4 → 4.0.3

package/README.md

@@ -22,7 +22,7 @@ $ npm install -g opal-security
 $ opal COMMAND
 running command...
 $ opal (--version)
-opal-security/3.2.4 darwin-arm64 node-v18.20.4
+opal-security/4.0.3 darwin-arm64 node-v24.5.0
 $ opal --help [COMMAND]
 USAGE
   $ opal COMMAND
@@ -35,8 +35,7 @@ USAGE
 <!-- commands -->
 * [`opal autocomplete [SHELL]`](#opal-autocomplete-shell)
 * [`opal aws identity`](#opal-aws-identity)
-* [`opal clear-auth-provider`](#opal-clear-auth-provider)
-* [`opal curl-example`](#opal-curl-example)
+* [`opal clear-auth-config`](#opal-clear-auth-config)
 * [`opal groups get`](#opal-groups-get)
 * [`opal help [COMMANDS]`](#opal-help-commands)
 * [`opal iam-roles start`](#opal-iam-roles-start)
@@ -49,7 +48,7 @@ USAGE
 * [`opal request list`](#opal-request-list)
 * [`opal request ls`](#opal-request-ls)
 * [`opal resources get`](#opal-resources-get)
-* [`opal set-auth-provider`](#opal-set-auth-provider)
+* [`opal set-auth-config`](#opal-set-auth-config)
 * [`opal set-custom-header`](#opal-set-custom-header)
 * [`opal set-token`](#opal-set-token)
 * [`opal set-url [URL]`](#opal-set-url-url)
@@ -106,44 +105,24 @@ EXAMPLES
   $ opal aws:identity
 ```
 
-_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/aws/identity.ts)_
+_See code: [src/commands/aws/identity.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/aws/identity.ts)_
 
-## `opal clear-auth-provider`
+## `opal clear-auth-config`
 
-Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+Clear all authentication configuration values
 
 ```
 USAGE
-  $ opal clear-auth-provider [-h]
-
-FLAGS
-  -h, --help  Show CLI help.
+  $ opal clear-auth-config
 
 DESCRIPTION
-  Clears the custom Issuer URL and Client ID set by set-airgap-auth, returning to the default.
+  Clear all authentication configuration values
 
 EXAMPLES
-  $ opal clear-auth-provider
-```
-
-_See code: [src/commands/clear-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/clear-auth-provider.ts)_
-
-## `opal curl-example`
-
-Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
-
-```
-USAGE
-  $ opal curl-example [-h]
-
-FLAGS
-  -h, --help  Show CLI help.
-
-DESCRIPTION
-  Prints out an example cURL command containing the parameters the CLI uses to query the Opal server.
+  $ opal clear-auth-config
 ```
 
-_See code: [src/commands/curl-example.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/curl-example.ts)_
+_See code: [src/commands/clear-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/clear-auth-config.ts)_
 
 ## `opal groups get`
 
@@ -164,7 +143,7 @@ EXAMPLES
   $ opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/groups/get.ts)_
+_See code: [src/commands/groups/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/groups/get.ts)_
 
 ## `opal help [COMMANDS]`
 
@@ -214,7 +193,7 @@ EXAMPLES
   $ opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"
 ```
 
-_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/iam-roles/start.ts)_
+_See code: [src/commands/iam-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/iam-roles/start.ts)_
 
 ## `opal kube-roles start`
 
@@ -245,7 +224,7 @@ EXAMPLES
   $ opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"
 ```
 
-_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/kube-roles/start.ts)_
+_See code: [src/commands/kube-roles/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/kube-roles/start.ts)_
 
 ## `opal login`
 
@@ -253,9 +232,11 @@ Authenticates you with the Opal server.
 
 ```
 USAGE
-  $ opal login [-h] [--email <value>]
+  $ opal login [-h] [--email <value>] [-d]
 
 FLAGS
+  -d, --device-code    Enables the Device Code flow instead of the Authorization Code flow when logging in.
+                       Use the Device Code flow if your environment can't open a browser or listen on a local port.
   -h, --help           Show CLI help.
       --email=<value>  Email address to login with.
 
@@ -266,7 +247,7 @@ EXAMPLES
   $ opal login
 ```
 
-_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/login.ts)_
+_See code: [src/commands/login.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/login.ts)_
 
 ## `opal logout`
 
@@ -286,7 +267,7 @@ EXAMPLES
   $ opal logout
 ```
 
-_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/logout.ts)_
+_See code: [src/commands/logout.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/logout.ts)_
 
 ## `opal postgres-instances start`
 
@@ -324,7 +305,7 @@ EXAMPLES
   $ opal postgres-instances:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId fullaccess --action view
 ```
 
-_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/postgres-instances/start.ts)_
+_See code: [src/commands/postgres-instances/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/postgres-instances/start.ts)_
 
 ## `opal request create`
 
@@ -350,7 +331,7 @@ DESCRIPTION
   Creates an Opal access request via an interactive form
 ```
 
-_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/request/create.ts)_
+_See code: [src/commands/request/create.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/create.ts)_
 
 ## `opal request get`
 
@@ -374,7 +355,7 @@ EXAMPLES
   $ opal request get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4 --verbose
 ```
 
-_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/request/get.ts)_
+_See code: [src/commands/request/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/get.ts)_
 
 ## `opal request list`
 
@@ -406,7 +387,7 @@ EXAMPLES
   $ opal request list --n 5 --pending --verbose
 ```
 
-_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/request/list.ts)_
+_See code: [src/commands/request/list.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/request/list.ts)_
 
 ## `opal request ls`
 
@@ -457,33 +438,37 @@ EXAMPLES
   $ opal resources:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4
 ```
 
-_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/resources/get.ts)_
+_See code: [src/commands/resources/get.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/resources/get.ts)_
 
-## `opal set-auth-provider`
+## `opal set-auth-config`
 
-Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
+Set authentication configuration values
 
 ```
 USAGE
-  $ opal set-auth-provider --clientID <value> --issuerUrl <value> [-h]
+  $ opal set-auth-config [--organizationID <value>] [--clientID <value>] [--issuerUrl <value>]
 
 FLAGS
-  -h, --help               Show CLI help.
-      --clientID=<value>   (required) Client ID of your Auth Provider
-      --issuerUrl=<value>  (required) Issuer URL of your Auth Provider
+  --clientID=<value>        OIDC client ID for authentication
+  --issuerUrl=<value>       OIDC issuer URL for authentication
+  --organizationID=<value>  Organization ID for authentication
 
 DESCRIPTION
-  Sets the Issuer URL and Client ID of the Auth Provider that the CLI will authenticate with.
-  Only use this if you are running a self-hosted, air-gapped instance of Opal that uses a custom Auth Provider.
+  Set authentication configuration values
 
-  Note - you will need an OIDC provider that supports the device_code grant.
+EXAMPLES
+  $ opal set-auth-config --clientID=abc123
 
+  $ opal set-auth-config --organizationID=org-456
 
-EXAMPLES
-  $ opal set-auth-provider --clientID 1234asdf --issuerUrl https://auth.example.com
+  $ opal set-auth-config --issuerUrl=https://auth.example.com
+
+  $ opal set-auth-config --clientID=abc123 --issuerUrl=https://auth.example.com
+
+  $ opal set-auth-config --organizationID=org-456 --clientID=abc123 --issuerUrl=https://auth.example.com
 ```
 
-_See code: [src/commands/set-auth-provider.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/set-auth-provider.ts)_
+_See code: [src/commands/set-auth-config.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-auth-config.ts)_
 
 ## `opal set-custom-header`
 
@@ -504,7 +489,7 @@ EXAMPLES
   $ opal set-custom-header --header 'cf-access-token: $TOKEN'
 ```
 
-_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/set-custom-header.ts)_
+_See code: [src/commands/set-custom-header.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-custom-header.ts)_
 
 ## `opal set-token`
 
@@ -524,7 +509,7 @@ EXAMPLES
   $ opal set-token
 ```
 
-_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/set-token.ts)_
+_See code: [src/commands/set-token.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-token.ts)_
 
 ## `opal set-url [URL]`
 
@@ -548,7 +533,7 @@ EXAMPLES
   $ opal set-url
 ```
 
-_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/set-url.ts)_
+_See code: [src/commands/set-url.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/set-url.ts)_
 
 ## `opal ssh copyFrom`
 
@@ -579,7 +564,7 @@ EXAMPLES
   $ opal ssh:copyFrom --src instance/dir --dest my/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/ssh/copyFrom.ts)_
+_See code: [src/commands/ssh/copyFrom.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/copyFrom.ts)_
 
 ## `opal ssh copyTo`
 
@@ -610,7 +595,7 @@ EXAMPLES
   $ opal ssh:copyTo --src my/dir --dest instance/dir --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/ssh/copyTo.ts)_
+_See code: [src/commands/ssh/copyTo.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/copyTo.ts)_
 
 ## `opal ssh start`
 
@@ -637,7 +622,7 @@ EXAMPLES
   $ opal ssh:start --id 51f7176b-0464-4a6f-8369-e951e187b398
 ```
 
-_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/ssh/start.ts)_
+_See code: [src/commands/ssh/start.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/ssh/start.ts)_
 
 ## `opal version`
 
@@ -674,5 +659,5 @@ DESCRIPTION
   Describes current url set, organization name, and logged in user if applicable.
 ```
 
-_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v3.2.4/src/commands/whoami.ts)_
+_See code: [src/commands/whoami.ts](https://github.com/opalsecurity/opal-cli/blob/v4.0.3/src/commands/whoami.ts)_
 <!-- commandsstop -->

package/bin/dev

@@ -1,6 +1,6 @@
-#!/usr/bin/env node
+#!/usr/bin/env -S npx tsx
+
+import {execute} from '@oclif/core'
+
+await execute({development: true, dir: import.meta.url})
 
-require("@oclif/core")
-  .execute({ development: true, dir: __dirname })
-  .then(require("@oclif/core/flush"))
-  .catch(require("@oclif/core/handle"));

package/bin/run

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import {execute} from "@oclif/core";
 
 const engineMajorVersion = Number.parseInt(process.version.slice(1).split('.'));
 if (engineMajorVersion < 18) {
@@ -6,7 +7,4 @@ if (engineMajorVersion < 18) {
   process.exit(1)
 }
 
-require("@oclif/core")
-  .execute({ development: false, dir: __dirname })
-  .then(require("@oclif/core/flush"))
-  .catch(require("@oclif/core/handle"));
+await execute({development: false, dir: import.meta.url})

package/build/commands/aws/identity.js

@@ -0,0 +1,16 @@
+import { Command } from "@oclif/core";
+import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
+import { SHARED_FLAGS } from "../../lib/flags.js";
+class Identity extends Command {
+    async run() {
+        setMostRecentCommand(this);
+        const currentCallerIdentityCmd = "aws sts get-caller-identity --profile opal";
+        runCommandExec(currentCallerIdentityCmd, 'This is the current caller identity for the "opal" AWS profile.', 'Failed to get the current caller identity for the "opal" AWS profile.');
+    }
+}
+Identity.description = 'Gets the current caller identity for the "opal" AWS profile.';
+Identity.examples = ["opal aws:identity"];
+Identity.flags = {
+    help: SHARED_FLAGS.help,
+};
+export default Identity;

package/build/commands/clear-auth-config.d.ts

@@ -0,0 +1,6 @@
+import { Command } from "@oclif/core";
+export default class ClearConfig extends Command {
+    static description: string;
+    static examples: string[];
+    run(): Promise<void>;
+}

package/build/commands/clear-auth-config.js

@@ -0,0 +1,22 @@
+import { Command } from "@oclif/core";
+import { getOrCreateConfigData, writeConfigData } from "../lib/config.js";
+import { removeOpalCredentials } from "../lib/credentials/index.js";
+class ClearConfig extends Command {
+    async run() {
+        try {
+            const configData = getOrCreateConfigData(this.config.configDir);
+            await removeOpalCredentials(this);
+            // biome-ignore lint/performance/noDelete: view performance of this and modify if needed
+            delete configData.issuerURL;
+            configData.creds = {};
+            writeConfigData(this.config.configDir, configData);
+            this.log("Authentication configuration cleared");
+        }
+        catch (error) {
+            this.error(String(error));
+        }
+    }
+}
+ClearConfig.description = "Clear all authentication configuration values";
+ClearConfig.examples = ["$ opal clear-auth-config"];
+export default ClearConfig;

package/{lib → build}/commands/groups/get.js

@@ -1,11 +1,9 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const core_1 = require("@oclif/core");
-const graphql_1 = require("../../graphql");
-const apollo_1 = require("../../lib/apollo");
-const cmd_1 = require("../../lib/cmd");
-const flags_1 = require("../../lib/flags");
-const GET_GROUP_QUERY = (0, graphql_1.graphql)(`
+import { Command } from "@oclif/core";
+import { graphql } from "../../graphql/index.js";
+import { getClient, handleError, printResponse } from "../../lib/apollo.js";
+import { setMostRecentCommand } from "../../lib/cmd.js";
+import { SHARED_FLAGS } from "../../lib/flags.js";
+const GET_GROUP_QUERY = graphql(`
 query GetGroup($id: GroupId!) {
     group(input: { id: $id }) {
     __typename
@@ -43,9 +41,9 @@ query GetGroup($id: GroupId!) {
     }
   }
 }`);
-class GetGroup extends core_1.Command {
+class GetGroup extends Command {
     async run() {
-        (0, cmd_1.setMostRecentCommand)(this);
+        setMostRecentCommand(this);
         const { flags } = await this.parse(GetGroup);
         if (!flags.id) {
             this.log("Error: Please provide a group ID using the --id flag.");
@@ -53,17 +51,17 @@ class GetGroup extends core_1.Command {
             return;
         }
         try {
-            const client = await (0, apollo_1.getClient)(this);
+            const client = await getClient(this);
             const resp = await client.query({
                 query: GET_GROUP_QUERY,
                 variables: {
                     id: flags.id,
                 },
             });
-            (0, apollo_1.printResponse)(this, resp);
+            printResponse(this, resp);
         }
         catch (error) {
-            return (0, apollo_1.handleError)(this, error);
+            return handleError(this, error);
         }
     }
 }
@@ -72,7 +70,7 @@ GetGroup.examples = [
     "opal groups:get --id 54052a3e-5375-4392-aeaf-0c6c44c131d4",
 ];
 GetGroup.flags = {
-    help: flags_1.SHARED_FLAGS.help,
-    id: flags_1.SHARED_FLAGS.id,
+    help: SHARED_FLAGS.help,
+    id: SHARED_FLAGS.id,
 };
-exports.default = GetGroup;
+export default GetGroup;

package/{lib → build}/commands/iam-roles/start.js

@@ -1,14 +1,12 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const core_1 = require("@oclif/core");
-const get_1 = require("../../commands/resources/get");
-const handler_1 = require("../../handler");
-const apollo_1 = require("../../lib/apollo");
-const aws_1 = require("../../lib/aws");
-const cmd_1 = require("../../lib/cmd");
-const flags_1 = require("../../lib/flags");
-const resources_1 = require("../../lib/resources");
-const sessions_1 = require("../../lib/sessions");
+import { Command, Flags } from "@oclif/core";
+import { GetResourceDocument } from "../../commands/resources/get.js";
+import { runQueryDeprecated } from "../../handler.js";
+import { handleError } from "../../lib/apollo.js";
+import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
+import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
+import { SHARED_FLAGS } from "../../lib/flags.js";
+import { DEFAULT_ACCESS_LEVEL, promptUserForResource, } from "../../lib/resources.js";
+import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
 const IamSessionMetadataFragment = `
 ... on AwsIamFederatedRoleSession {
   awsAccessKeyId
@@ -17,18 +15,18 @@ const IamSessionMetadataFragment = `
   awsLoginUrl
   federatedArn
 }`;
-class StartIAMRoleSession extends core_1.Command {
+class StartIAMRoleSession extends Command {
     async run() {
-        (0, cmd_1.setMostRecentCommand)(this);
+        setMostRecentCommand(this);
         const { flags } = await this.parse(StartIAMRoleSession);
         if (flags.sessionId && flags.refresh) {
-            return (0, apollo_1.handleError)(this, "Cannot use both --sessionId and --refresh");
+            return handleError(this, "Cannot use both --sessionId and --refresh");
         }
         let roleId = flags.id;
         let roleName = null;
         const sessionId = flags.sessionId;
         if (!roleId) {
-            const selectedRole = await (0, resources_1.promptUserForResource)(this, "AWS_IAM_ROLE", "Select an IAM role to assume");
+            const selectedRole = await promptUserForResource(this, "AWS_IAM_ROLE", "Select an IAM role to assume");
             if (!selectedRole) {
                 return;
             }
@@ -36,40 +34,40 @@ class StartIAMRoleSession extends core_1.Command {
             roleName = selectedRole.name;
         }
         else {
-            const { resp, error } = await (0, handler_1.runQueryDeprecated)({
+            const { resp, error } = await runQueryDeprecated({
                 command: this,
-                query: get_1.GetResourceDocument,
+                query: GetResourceDocument,
                 variables: {
                     id: roleId,
                 },
             });
             if (error) {
-                return (0, apollo_1.handleError)(this, error, resp);
+                return handleError(this, error, resp);
             }
             if (!(resp === null || resp === void 0 ? void 0 : resp.data.resource.resource)) {
-                return (0, apollo_1.handleError)(this, `Resource not found for ID: ${roleId}`);
+                return handleError(this, `Resource not found for ID: ${roleId}`);
             }
             roleName = (resp === null || resp === void 0 ? void 0 : resp.data.resource.resource.name) || "iam-role";
         }
         if (flags.profileName && flags.profileName !== "") {
             roleName = flags.profileName;
         }
-        const session = await (0, sessions_1.getOrCreateSession)(this, roleId, resources_1.DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
+        const session = await getOrCreateSession(this, roleId, DEFAULT_ACCESS_LEVEL, sessionId, IamSessionMetadataFragment, flags.refresh);
         if (!session) {
             return;
         }
         const metadata = session.metadata;
         switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
             case "AwsIamFederatedRoleSession": {
-                const updateAwsConfigCommand = (0, aws_1.getAwsConfigUpdateCmd)(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                const updateAwsConfigCommand = getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
                 const startSessionCmd = `${updateAwsConfigCommand}`;
                 const roleText = roleName ? `"${roleName}" role` : "role";
-                const expirationMessage = (0, sessions_1.getSessionExpirationMessage)(session);
-                (0, cmd_1.runCommandExec)(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${(0, aws_1.getAwsEnvVarMessage)()}`, `Failed to use ${roleText}.`);
+                const expirationMessage = getSessionExpirationMessage(session);
+                runCommandExec(startSessionCmd, `Now set to use ${roleText}. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to use ${roleText}.`);
                 break;
             }
             default:
-                return (0, apollo_1.handleError)(this, undefined, session);
+                return handleError(this, undefined, session);
         }
     }
 }
@@ -80,13 +78,13 @@ StartIAMRoleSession.examples = [
     'opal iam-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --profileName "custom-profile"',
 ];
 StartIAMRoleSession.flags = {
-    help: flags_1.SHARED_FLAGS.help,
-    id: flags_1.SHARED_FLAGS.id,
-    sessionId: flags_1.SHARED_FLAGS.sessionId,
-    refresh: flags_1.SHARED_FLAGS.refresh,
-    profileName: core_1.Flags.string({
+    help: SHARED_FLAGS.help,
+    id: SHARED_FLAGS.id,
+    sessionId: SHARED_FLAGS.sessionId,
+    refresh: SHARED_FLAGS.refresh,
+    profileName: Flags.string({
         multiple: false,
         description: "Uses a custom AWS profile name for the IAM role. Default value is the role's name.",
     }),
 };
-exports.default = StartIAMRoleSession;
+export default StartIAMRoleSession;

package/build/commands/kube-roles/start.js

@@ -0,0 +1,71 @@
+import { Command } from "@oclif/core";
+import { handleError } from "../../lib/apollo.js";
+import { getAwsConfigUpdateCmd, getAwsEnvVarMessage } from "../../lib/aws.js";
+import { runCommandExec, setMostRecentCommand } from "../../lib/cmd.js";
+import { SHARED_FLAGS } from "../../lib/flags.js";
+import { promptUserForAccessLevels, promptUserForResource, } from "../../lib/resources.js";
+import { getOrCreateSession, getSessionExpirationMessage, } from "../../lib/sessions.js";
+const EksSessionMetadataFragment = `
+... on AwsIamFederatedEksSession {
+  awsAccessKeyId
+  awsSecretAccessKey
+  awsSessionToken
+  clusterName
+  clusterRegion
+}`;
+class StartKubeIAMRoleSession extends Command {
+    async run() {
+        setMostRecentCommand(this);
+        const { flags } = await this.parse(StartKubeIAMRoleSession);
+        if (flags.sessionId && flags.refresh) {
+            return handleError(this, "Cannot use both --sessionId and --refresh");
+        }
+        let clusterId = flags.id;
+        const sessionId = flags.sessionId;
+        if (!clusterId) {
+            const selectedCluster = await promptUserForResource(this, "AWS_EKS_CLUSTER", "Select an EKS Kubernetes cluster to connect to");
+            if (!selectedCluster) {
+                return;
+            }
+            clusterId = selectedCluster.id;
+        }
+        // Fetch all access levels for resource
+        const accessLevel = await promptUserForAccessLevels(this, clusterId, "Kubernetes cluster", flags.accessLevelRemoteId);
+        if (!accessLevel) {
+            return;
+        }
+        const session = await getOrCreateSession(this, clusterId, accessLevel, sessionId, EksSessionMetadataFragment, flags.refresh);
+        if (!session) {
+            return;
+        }
+        const metadata = session.metadata;
+        switch (metadata === null || metadata === void 0 ? void 0 : metadata.__typename) {
+            case "AwsIamFederatedEksSession": {
+                const roleName = accessLevel.accessLevelName;
+                const updateAwsConfigCommand = getAwsConfigUpdateCmd(roleName, metadata.awsAccessKeyId, metadata.awsSecretAccessKey, metadata.awsSessionToken);
+                const updateKubeConfigCmd = `aws eks update-kubeconfig --name ${metadata.clusterName} --region ${metadata.clusterRegion} --alias ${metadata.clusterName} --profile opal`;
+                const startSessionCmd = `${updateAwsConfigCommand} && ${updateKubeConfigCmd}`;
+                const roleText = roleName ? `"${roleName}" role` : "role";
+                const expirationMessage = getSessionExpirationMessage(session);
+                runCommandExec(startSessionCmd, `Now set to use ${roleText} with updated Kube config pointing to "${metadata.clusterName}" cluster. (session expires in ${expirationMessage})${getAwsEnvVarMessage()}`, `Failed to assume ${roleText} and update Kube config.`);
+                break;
+            }
+            default:
+                return handleError(this, undefined, session);
+        }
+    }
+}
+StartKubeIAMRoleSession.description = "Starts a session to assume a Kubernetes cluster IAM role.";
+StartKubeIAMRoleSession.examples = [
+    "opal kube-roles:start",
+    "opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398",
+    'opal kube-roles:start --id 51f7176b-0464-4a6f-8369-e951e187b398 --accessLevelRemoteId "arn:aws:iam::712234975475:role/acme-eks-cluster-admin-role"',
+];
+StartKubeIAMRoleSession.flags = {
+    help: SHARED_FLAGS.help,
+    id: SHARED_FLAGS.id,
+    accessLevelRemoteId: SHARED_FLAGS.accessLevelRemoteId,
+    sessionId: SHARED_FLAGS.sessionId,
+    refresh: SHARED_FLAGS.refresh,
+};
+export default StartKubeIAMRoleSession;

package/{lib → build}/commands/login.d.ts

@@ -9,6 +9,7 @@ export default class Login extends Command {
     static flags: {
         help: import("@oclif/core/lib/interfaces").BooleanFlag<void>;
         email: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        "device-code": import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     static args: {};
     run(): Promise<void>;