npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

aws-azure-auth

v1.0.1

Published

Use Azure AD SSO to log into the AWS CLI.

Downloads

55

Readme

view on npm npm module downloads per month

aws-azure-auth

If your organization uses Azure Active Directory to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the AWS CLI. This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.

Installation

Installation can be done in any of the following platform - Windows, Linux, Docker, Snap

Windows

Install Node.js v12 or higher. Then install aws-azure-auth with npm:

npm install -g aws-azure-auth

You may need to install puppeteer dependency, if you're getting missing chrome or chromium message

node <node_modules_dir>/aws-azure-auth/node_modules/puppeteer/install.js

Linux

In Linux you can either install for all users or just the current user. In either case, you must first install Node.js v12 or higher and any puppeteer dependencies. Then follow the appropriate instructions.

Option A: Install for All Users

Install aws-azure-auth globally with npm:

sudo npm install -g aws-azure-auth --unsafe-perm

Puppeteer doesn't install globally with execution permissions for all users so you'll need to modify them:

sudo chmod -R go+rx $(npm root -g)

Option B: Install Only for Current User

First configure npm to install global packages in your home directory:

mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
export PATH=~/.npm-global/bin:$PATH
source ~/.profile
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.profile
source ~/.profile

Then install aws-azure-auth:

npm install -g aws-azure-auth

Docker

A Docker image has been built with aws-azure-auth preinstalled. You simply need to run the command with a volume mounted to your AWS configuration directory.

docker run --rm -it -v ~/.aws:/root/.aws aws-azure-auth/aws-azure-auth

The Docker image is configured with an entrypoint so you can just feed any arguments in at the end.

You can also put the docker-launch.sh script into your bin directory for the aws-azure-auth command to function as usual:

sudo curl -o /usr/local/bin/aws-azure-auth https://raw.githubusercontent.com/aws-azure-auth/aws-azure-auth/main/docker-launch.sh -L
sudo chmod o+x /usr/local/bin/aws-azure-auth

Now just run aws-azure-auth.

Snap

https://snapcraft.io/aws-azure-auth

Usage

Configuration

AWS

To configure the aws-azure-auth client run:

aws-azure-auth --configure

You'll need your Azure Tenant ID and the App ID URI. To configure a named profile, use the --profile flag.

aws-azure-auth --configure --profile foo
GovCloud Support

To use aws-azure-auth with AWS GovCloud, set the region profile property in your ~/.aws/config to the one of the GovCloud regions:

  • us-gov-west-1
  • us-gov-east-1
China Region Support

To use aws-azure-auth with AWS China Cloud, set the region profile property in your ~/.aws/config to the China region:

  • cn-north-1

Staying logged in, skip username/password for future logins

During the configuration you can decide to stay logged in:

? Stay logged in: skip authentication while refreshing aws credentials (true|false) (false)

If you set this configuration to true, the usual authentication with username/password/MFA is skipped as it's using session cookies to remember your identity. This enables you to use --no-prompt without the need to store your password anywhere, it's an alternative for using environment variables as described below. As soon as you went through the full login procedure once, you can just use:

aws-azure-auth --no-prompt

or

aws-azure-auth --profile foo --no-prompt

to refresh your aws credentials.

Environment Variables

You can optionally store your responses as environment variables:

  • AZURE_TENANT_ID
  • AZURE_APP_ID_URI
  • AZURE_DEFAULT_USERNAME
  • AZURE_DEFAULT_PASSWORD
  • AZURE_DEFAULT_ROLE_ARN
  • AZURE_DEFAULT_DURATION_HOURS

To avoid having to <Enter> through the prompts after setting these environment variables, use the --no-prompt option when running the command.

aws-azure-auth --no-prompt

Use the HISTCONTROL environment variable to avoid storing the password in your bash history (notice the space at the beginning):

$ HISTCONTROL=ignoreboth
$  export AZURE_DEFAULT_PASSWORD=mypassword
$ aws-azure-auth

Logging In

Once aws-azure-auth is configured, you can log in. For the default profile, just run:

aws-azure-auth

You will be prompted for your username and password. If MFA is required you'll also be prompted for a verification code or mobile device approval. To log in with a named profile:

aws-azure-auth --profile foo

Alternatively, you can set the AWS_PROFILE environmental variable to the name of the profile just like the AWS CLI.

Once you log in you can use the AWS CLI or SDKs as usual!

If you are logging in on an operating system with a GUI, you can log in using the actual Azure web form instead of the CLI:

aws-azure-auth --mode gui

Logging in with GUI mode is likely to be much more reliable.

Note: on virtual machines, or when rendering of the puppeteer UI fails, you might need to disable the GPU Hardware Acceleration:

aws-azure-auth --mode gui --disable-gpu

Note: on Linux you will likely need to disable the Puppeteer sandbox or Chrome will fail to launch:

aws-azure-auth --no-sandbox

Behind corporate proxy

If behind corporate proxy, then just set https_proxy env variable.

Automation

Renew credentials for all configured profiles

You can renew credentials for all configured profiles in one run. This is especially useful, if the maximum session length on AWS side is configured to a low value due to security constraints. Just run:

aws-azure-auth --all-profiles

If you configure all profiles to stay logged in, you can easily skip the prompts:

aws-azure-auth --all-profiles --no-prompt

This will allow you to automate the credentials refresh procedure, eg. by running a cronjob every 5 minutes. To skip unnecessary calls, the credentials are only getting refreshed if the time to expire is lower than 11 minutes.

Getting Your Tenant ID and App ID URI

Your Azure AD system admin should be able to provide you with your Tenant ID and App ID URI. If you can't get it from them, you can scrape it from a login page from the myapps.microsoft.com page.

  1. Load the myapps.microsoft.com page.
  2. Click the chicklet for the login you want.
  3. In the window the pops open quickly copy the login.microsoftonline.com URL. (If you miss it just try again. You can also open the developer console with nagivation preservation to capture the URL.)
  4. The GUID right after login.microsoftonline.com/ is the tenant ID.
  5. Copy the SAMLRequest URL param.
  6. Paste it into a URL decoder (like this one) and decode.
  7. Paste the decoded output into the a SAML deflated and encoded XML decoder (like this one).
  8. In the decoded XML output the value of the Audience tag is the App ID URI.
  9. You may double-check tenant ID using Attribute tag named tenantid provided in XML.

How It Works

The Azure login page uses JavaScript, which requires a real web browser. To automate this from a command line, aws-azure-auth uses Puppeteer, which automates a real Chromium browser. It loads the Azure login page behind the scenes, populates your username and password (and MFA token), parses the SAML assertion, uses the AWS STS AssumeRoleWithSAML API to get temporary credentials, and saves these in the CLI credentials file.

Troubleshooting

The nature of browser automation with Puppeteer means the solution is bit brittle. A minor change on the Microsoft side could break the tool. If something isn't working, you can fall back to GUI mode (above). To debug an issue, you can run in debug mode (--mode debug) to see the GUI while aws-azure-auth tries to populate it. You can also have the tool print out more detail on what it is doing to try to do in order to diagnose. aws-azure-auth uses the Node debug module to print out debug info. Just set the DEBUG environmental variable to 'aws-azure-auth'. On Linux/OS X:

DEBUG=aws-azure-auth aws-azure-auth

On Windows:

set DEBUG=aws-azure-auth
aws-azure-auth

Support for Other Authentication Providers

Obviously, this tool only supports Azure AD as an identity provider. However, there is a lot of similarity with how other logins with other providers would work (especially if they are SAML providers). If you are interested in building support for a different provider let me know. It would be great to build a more generic AWS CLI login tool with plugins for the various providers.