{"id":14984276,"url":"https://github.com/unfunco/chrome-ext-aws-saml-sts","last_synced_at":"2026-03-15T14:31:26.589Z","repository":{"id":219923024,"uuid":"704835887","full_name":"unfunco/chrome-ext-aws-saml-sts","owner":"unfunco","description":"Google Chrome extension that intercepts the SAML assertion when logging into the AWS console and exchanges it for temporary STS credentials.","archived":false,"fork":false,"pushed_at":"2026-02-02T11:40:37.000Z","size":1115,"stargazers_count":5,"open_issues_count":5,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-03T01:07:39.686Z","etag":null,"topics":["aws","chrome-extension","google-chrome","google-chrome-extension","manifest-v3","react","saml","sts","typescript","vite"],"latest_commit_sha":null,"homepage":"https://chromewebstore.google.com/detail/aws-saml-to-sts/affnlpfpepgmjfhclafkknonoocdefnh","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unfunco.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-10-14T08:36:08.000Z","updated_at":"2026-02-02T11:39:25.000Z","dependencies_parsed_at":"2024-04-15T09:48:36.008Z","dependency_job_id":"f2dd9963-7130-4f06-94c0-28436ba4abb6","html_url":"https://github.com/unfunco/chrome-ext-aws-saml-sts","commit_stats":null,"previous_names":["unfunco/chrome-ext-aws-saml-sts"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/unfunco/chrome-ext-aws-saml-sts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fchrome-ext-aws-saml-sts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fchrome-ext-aws-saml-sts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fchrome-ext-aws-saml-sts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fchrome-ext-aws-saml-sts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unfunco","download_url":"https://codeload.github.com/unfunco/chrome-ext-aws-saml-sts/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fchrome-ext-aws-saml-sts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29597853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T22:25:43.180Z","status":"ssl_error","status_checked_at":"2026-02-18T22:25:42.766Z","response_time":162,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","chrome-extension","google-chrome","google-chrome-extension","manifest-v3","react","saml","sts","typescript","vite"],"created_at":"2024-09-24T14:08:46.479Z","updated_at":"2026-03-15T14:31:26.582Z","avatar_url":"https://github.com/unfunco.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS SAML to STS Chrome extension\n\n[![CI](https://github.com/unfunco/chrome-ext-aws-saml-sts/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/chrome-ext-aws-saml-sts/actions/workflows/ci.yaml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-purple.svg)](https://opensource.org/licenses/MIT)\n\n\u003cimg align=\"right\" src=\"https://github.com/user-attachments/assets/fbd0ae04-0d48-4cdd-8bcd-c9c5537c3950\" alt=\"Screenshot of the AWS SAML to STS Chrome extension being used to generate temporary credentials.\" style=\"max-width: 100%;\" width=\"300\"\u003e\n\nA Google Chrome extension for engineers who authenticate to AWS with\nSAML 2.0 and want temporary STS credentials they can copy into the\nAWS CLI or AWS SDK tooling.\n\nWhen you sign in to the AWS console through a SAML identity provider such as\nOkta, Azure AD, or ADFS, AWS receives a SAML assertion at\n`https://signin.aws.amazon.com/saml`. This extension intercepts that assertion,\nextracts the IAM role details, exchanges the assertion for temporary AWS STS\ncredentials, and makes the credentials available in copy-friendly formats.\n\n## Why does this exist?\n\nFederated AWS access often works well in the browser but leaves a gap for local\ndeveloper workflows. If your organisation uses SAML sign-in for the AWS\nconsole, getting short-lived credentials into the CLI or SDKs can still be\nawkward. This extension closes that gap without adding another service or\ncredential broker.\n\n## How does the extension work?\n\n1. It listens only for requests to `https://signin.aws.amazon.com/saml`.\n2. It reads the posted `SAMLResponse` from the AWS sign-in form submission.\n3. It parses the available IAM roles and optional session duration from the\n   SAML assertion.\n4. It calls AWS STS `AssumeRoleWithSAML` for the selected role.\n5. It stores the resulting temporary credentials in extension local storage\n   until they expire, then automatically removes them.\n\nIf the assertion contains exactly one role, credentials are generated\nimmediately. If AWS presents a role selection screen, credentials are generated\nafter you choose a role and complete sign-in.\n\n## Installation and usage\n\nThe easiest option is to install the extension from the [Chrome Web Store].\n\nAfter installation:\n\n1. Sign in to the AWS console as you normally would.\n2. Open the extension from the browser toolbar.\n3. Choose your preferred credential format.\n4. Click a snippet to copy it to your clipboard.\n\n### Credential output formats\n\nThe popup currently exposes four formats:\n\n- `macOS/Linux`: shell exports for terminal sessions\n- `Windows CMD`: `SET` commands for Command Prompt\n- `PowerShell`: `$Env:` assignments\n- `AWS credentials file`: an INI snippet for `~/.aws/credentials`\n\nThe credentials file snippet is emitted as `[default]`. If you prefer a named\nprofile, rename the profile header after copying.\n\n### Requirements and compatibility\n\nThis extension is intended for AWS accounts that use SAML 2.0 federation with\nIAM roles. It is a good fit for setups backed by providers such as Okta, Azure\nAD, ADFS, Keycloak, Ping Identity, or similar SAML-capable IdPs.\n\nIt is **not** designed for AWS IAM Identity Center / AWS SSO flows.\n\n## Security and privacy\n\nThis project is intentionally narrow in scope:\n\n- The extension only requests `webRequest` and `storage` permissions.\n- It only declares host access to `https://signin.aws.amazon.com/saml`.\n- Credentials are stored in extension local storage on your machine.\n- Expired credentials are automatically removed and hidden from the UI.\n- The extension does not send telemetry or forward credentials to any service\n  other than AWS STS.\n\n### Permissions\n\n| Permission                           | Why it is needed                                                                                |\n| ------------------------------------ | ----------------------------------------------------------------------------------------------- |\n| `webRequest`                         | Intercept the AWS SAML sign-in POST before AWS finishes the console login flow                  |\n| `storage`                            | Persist the selected platform and temporary credentials between the background worker and popup |\n| `https://signin.aws.amazon.com/saml` | Limit interception to the AWS SAML endpoint instead of broad host access                        |\n\n### Operational notes\n\n- Anyone with access to your browser profile or extension storage can inspect\n  stored credentials while they are still valid.\n- Credentials are temporary and expire according to the duration granted by\n  your identity provider / AWS role configuration.\n- The extension does not automatically refresh credentials; you refresh them by\n  signing in to AWS again.\n\n## Development\n\nIf your organisation blocks the Chrome Web Store, or you want to work on the\nextension locally, you can build and install it manually.\n\n### Requirements\n\n- [Google Chrome] or another Chromium-based browser\n- [Node.js] matching the repository's `.node-version` file\n- [npm] 10+\n\n### Local setup\n\n```bash\ngit clone git@github.com:unfunco/chrome-ext-aws-saml-sts.git\ncd chrome-ext-aws-saml-sts\nnpm install\n```\n\n### Development workflow\n\nStart the local watcher:\n\n```bash\nnpm run dev\n```\n\nThis runs `nodemon`, which rebuilds the extension with Vite when files change.\n\nThen load the unpacked extension:\n\n1. Open [chrome://extensions]\n2. Enable **Developer mode**\n3. Click **Load unpacked**\n4. Select the repository's `dist` directory\n\nWhen you change source files, rebuilds happen automatically, but you still need\nto reload the extension in Chrome to pick up the updated bundle.\n\n### Validation commands\n\nRun the same checks used for release preparation:\n\n```bash\nnpm run lint\nnpm test\nnpm run build\n```\n\nYou can also check formatting explicitly:\n\n```bash\nnpm run fmt:check\n```\n\n### Building for distribution\n\nCreate a production build with:\n\n```bash\nnpm run build\n```\n\nThat produces a `dist` directory containing the packaged extension assets.\n\nIf you do not want to build locally, you can also download a packaged build from\nthe project's [GitHub releases](https://github.com/unfunco/chrome-ext-aws-saml-sts/releases).\n\n## Troubleshooting\n\n### I signed in to AWS but no credentials appeared\n\n- Make sure the extension is enabled and pinned in the browser toolbar.\n- If AWS asked you to choose between multiple roles, finish that selection\n  first, then reopen the popup.\n- Open the service worker console from [chrome://extensions] to inspect logs\n  from the background worker.\n\n### The credentials are expired\n\nExpired credentials are removed automatically. Sign in to AWS again to generate\na fresh set.\n\n### The AWS credentials file snippet uses `[default]`\n\nThat is the current built-in format. If you need a named profile, rename the\nheader after copying and save it to `~/.aws/credentials`.\n\n### I am debugging locally and want to inspect the background worker\n\nFrom [chrome://extensions], open the extension details card and click the\nservice worker link to inspect the Manifest V3 background worker logs.\n\n## FAQ\n\n### Does this support multiple AWS partitions?\n\nYes. The role parsing logic supports the standard commercial AWS partition and\nother AWS IAM role ARN partitions such as GovCloud-style ARNs.\n\n### Does this modify pages in the browser?\n\nNo. The extension listens for the AWS sign-in request and renders its own popup\nUI, but it does not inject scripts into arbitrary web pages.\n\n### Can this refresh credentials automatically?\n\nNo. This extension captures credentials when you sign in to AWS through the\nbrowser. It does not run a background renewal workflow.\n\n## License\n\n© 2023 [Daniel Morris]\\\nMade available under the terms of the [MIT License].\n\n[aws]: https://aws.amazon.com\n[aws cli]: https://aws.amazon.com/cli/\n[chrome://extensions]: chrome://extensions\n[chrome web store]: https://chromewebstore.google.com/detail/aws-saml-to-sts/affnlpfpepgmjfhclafkknonoocdefnh\n[daniel morris]: https://unfun.co\n[google chrome]: https://www.google.com/chrome\n[mit license]: LICENSE.md\n[node.js]: https://nodejs.org\n[npm]: https://www.npmjs.com\n[sts]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funfunco%2Fchrome-ext-aws-saml-sts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funfunco%2Fchrome-ext-aws-saml-sts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funfunco%2Fchrome-ext-aws-saml-sts/lists"}