search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.07k stars 563 forks source link

The --skip-prompt option should prompt for a password if not specified with --password #101

Open fgimian opened 6 years ago

fgimian commented 6 years ago

It is undesirable to use the --password option due to safety. but -skip-prompt is at least useful to skip the Username prompt. However, this is what happens:

fots > ~ $ saml2aws --skip-prompt -a fots login
Using IDP Account amp to access KeyCloak https://...
Authenticating as fots ...
Empty password
error validating login details
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
        /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:65
main.main
        /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:95
runtime.main
        /usr/local/Cellar/go/1.9.2/libexec/src/runtime/proc.go:195
runtime.goexit
        /usr/local/Cellar/go/1.9.2/libexec/src/runtime/asm_amd64.s:2337

This works as expected for the MFA token input with the --skip-prompt option:

fots > ~ $ saml2aws --skip-prompt --password=pass123 -a fots login
Using IDP Account amp to access KeyCloak https://...
Authenticating as fots ...

Security Token [000000]
:

Cheers Fotis

chamila-c commented 6 years ago

I think this would be a good opportunity to clarify the use cases for which --skip-prompt is intended.

One scenario where the current behaviour has been desirable is with automation scripts that need to run without human intervention: often in these cases, it's useful to have the command fail rather than hang on a prompt.

The other factor that may need consideration is the (admittedly, not all that well documented) ability to use a SAML2AWS_PASSWORD environment variable to supply the password instead of the command line flag, making it possible to avoid prompting while also not having to use the --password option on the command line.

torbenkohlmeier commented 1 month ago

I would also like to have an option to skip the username prompt. Sometimes I accidentally start typing my password when the username is prompted which is then visible in cleartext. This might happen while sharing my screen which would be really bad. Having an option to skip the username prompt would prevent this. This could even be the default behavior. Why are you prompted to enter a username if it is already given in the command line?