{"id":37141184,"url":"https://github.com/devlabfoundry/aws-cli-auth","last_synced_at":"2026-01-14T16:33:18.275Z","repository":{"id":42078510,"uuid":"466478521","full_name":"DevLabFoundry/aws-cli-auth","owner":"DevLabFoundry","description":"AWS Developer Authentication using SAML provider linked to AWS account or SSO login without storing refresh tokens locally. Enables linked roles with multiple methods.","archived":false,"fork":false,"pushed_at":"2025-12-17T21:05:15.000Z","size":331,"stargazers_count":5,"open_issues_count":4,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-21T08:52:55.226Z","etag":null,"topics":["aws","cli","iam","saml"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DevLabFoundry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-05T14:37:18.000Z","updated_at":"2025-12-20T02:19:28.000Z","dependencies_parsed_at":"2025-12-18T05:11:11.328Z","dependency_job_id":null,"html_url":"https://github.com/DevLabFoundry/aws-cli-auth","commit_stats":null,"previous_names":["devlabfoundry/aws-cli-auth","dnitsch/aws-cli-auth"],"tags_count":61,"template":false,"template_full_name":null,"purl":"pkg:github/DevLabFoundry/aws-cli-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DevLabFoundry%2Faws-cli-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DevLabFoundry%2Faws-cli-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DevLabFoundry%2Faws-cli-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DevLabFoundry%2Faws-cli-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DevLabFoundry","download_url":"https://codeload.github.com/DevLabFoundry/aws-cli-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DevLabFoundry%2Faws-cli-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28426068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:32:27.303Z","status":"ssl_error","status_checked_at":"2026-01-14T16:28:36.419Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cli","iam","saml"],"created_at":"2026-01-14T16:33:17.605Z","updated_at":"2026-01-14T16:33:18.268Z","avatar_url":"https://github.com/DevLabFoundry.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/DevLabFoundry/aws-cli-auth)](https://goreportcard.com/report/github.com/DevLabFoundry/aws-cli-auth)\n[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=dnitsch_aws-cli-auth\u0026metric=bugs)](https://sonarcloud.io/summary/new_code?id=dnitsch_aws-cli-auth)\n[![Technical Debt](https://sonarcloud.io/api/project_badges/measure?project=dnitsch_aws-cli-auth\u0026metric=sqale_index)](https://sonarcloud.io/summary/new_code?id=dnitsch_aws-cli-auth)\n[![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=dnitsch_aws-cli-auth\u0026metric=reliability_rating)](https://sonarcloud.io/summary/new_code?id=dnitsch_aws-cli-auth)\n[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=dnitsch_aws-cli-auth\u0026metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=dnitsch_aws-cli-auth)\n[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=dnitsch_aws-cli-auth\u0026metric=coverage)](https://sonarcloud.io/summary/new_code?id=dnitsch_aws-cli-auth)\n\n# AWS CLI AUTH\n\nCLI tool for retrieving AWS temporary credentials using a variety of methods.\n\n**Supports**:\n\n- Any IdP Provider SAML provider via WebUI\n- AWS Portal direct account =\u003e role selection\n- Role chaining for every credential exchange type\n- web_identity_token file with role chaining\n\nThis tool deals with IdP logins via SAML, both into an AWS account directly or via AWS SSO Portal\n\n---\n\u003e **NOTE**: [aws cli](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/login.html) now supports a login via a session into a single AWS portal, it works in a similar fashion except this tool does not store the refreshToken on the device and is meant to be used with `credential_process`\n\n---\n\n\u003e If you have an OIDC IdP provider set up to AWS you can use this [aws-cli-oidc](https://github.com/openstandia/aws-cli-oidc) and likewise this [saml2aws](https://github.com/Versent/saml2aws) for standard SAML only AWS integrations - standard meaning that your IdP has a standard and flow and a supports programatic MFA submission.\n\nIf, however, you need to support a non standard user journeys enforced by your IdP i.e. a sub company selection within your organization login portal, or a selection screen for different MFA providers - PingID or RSA HardToken etc.... you cannot reliably automate the flow or it would have to be too specific.\n\nAs such this approach uses [go-rod](https://github.com/go-rod/rod) library to uniformly allow the user to complete any and all auth steps and selections in a managed browser session up to the point of where the SAMLResponse is to be sent to AWS ACS service `https://signin.aws.amazon.com/saml`.\n\nCapturing this via hijack request and posting to AWS STS service to exchange this for the temporary credentials.\n\nThe advantage of using SAML is that real users can gain access to the AWS Console UI or programatically and audited as the same person in cloudtrail.\n\nBy default the tool creates the session name - which can be audited including the persons username from the localhost.\n\n## [Installation](./docs/install.md)\n\n## [Usage](./docs/usage.md)\n\n## Known Issues\n\n- Even though a datadir is created to store the chromium session data it is advised to still open settings and save the username/password manually the first time you are presented with the login screen.\n\n- Some login forms if not done correctly according to chrome specs and do not specify `type` on the HTML tag with `username` Chromium will not pick it up\n\n- As the process of re-requesting new credentials is **by design** and should be used in places where it cannot be automated - it is good idea **IF POSSIBLE** to use longer sessions for ***NON LIVE*** AWS accounts so that the prompt is not too frequent.\n\n- Prior to `v0.8.0` you might be need to manually kill the `aws-cli-auth` process manually from your OS's process manager.\n\n## Contribute\n\nContributions to the aws-auth-cli package are most welcome from engineers of all backgrounds and skill levels. \n\nIn particular the addition of extra test coverage, code enhacements.\n\nThis project will adhere to the [Go Community Code of Conduct](https://go.dev/conduct) in the github provided discussion spaces.\n\nTo make a contribution:\n\n- Fork the repository\n- Make your changes on the fork\n- Submit a pull request back to this repo with a clear description of the problem you're solving\n- Ensure your PR passes all current (and new) tests\n\n## Acknowledgements\n\nInspired by/Borrowed the design for secretStore from these 2 packages:\n\n- [Hiroyuki Wada](https://github.com/wadahiro) [package](https://github.com/openstandia/aws-cli-oidc) \n- [Mark Wolfe](https://github.com/wolfeidau) [package](https://github.com/Versent/saml2aws)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevlabfoundry%2Faws-cli-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevlabfoundry%2Faws-cli-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevlabfoundry%2Faws-cli-auth/lists"}