v0.8.0

Open a CLI and a console at the same time with a one liner

This release adds a new -t flag to allow assuming a role in the terminal, and opening the web console at the same time:

assume -t -c

A huge thankyou to @n3s7or for contributing this feature!

Improvements to automatic profile generation

This release adds support for specifying sources to load AWS profiles from, using the --source flag. Our default source is AWS IAM Identity Center --source aws-sso, which sources profiles for all available SSO roles. This release adds support for using Common Fate as a source for roles: specifying --source cf will source profiles for all available Access Rules. This can be useful for generating profiles for privileged roles which require an access request to be made.

We'd love to hear if you have suggestions for additional profile sources - please open an issue with any ideas.

Additionally, profiles generated now use the Granted Credential Process by default. You can opt out of this behaviour by specifying --no-credential-process.

Finally, we've added support for a --prune flag:

granted sso populate --sso-region ap-southeast-2 --prune https://example.awsapps.com/start

This flag will remove any profiles which were previously generated by Granted, but no longer exist in the source Granted is reading profiles from. Thanks to @denniswebb for requesting this feature in #340.

Service list improvements

This release adds appsync to our service map, so running assume -s appsync will no longer give a warning message. Thanks again @n3s7or!

What's Changed

• added appsync to services map fixes #342 by @n3s7or in #343
• copy any none profile section from config file in Profile Registry by @Eddie023 in #339
• use kebab-case for required-key argument by @chrnorm in #354
• adds command output hint by @JoshuaWilkes in #346
• add AWS_CREDENTIAL_EXPIRATION to scripts by @JoshuaWilkes in #345
• Use MkdirAll before Create to create all parent directory by @Eddie023 in #356
• added new flag -t to assume credentials in terminal along with web co… by @n3s7or in #347
• explicitly specify IFS when reading output by @chrnorm in #352
• add '--save-to' flag by @chrnorm in #358
• remove unused dependencies by @chrnorm in #361
• AWS profile generation improvements by @chrnorm in #359

Full Changelog: v0.7.1...v0.8.0

v0.7.1

This release fixes an issue preventing the granted sso populate command from being run.

What's Changed

• Bugfix sso generate matching whitespace in templates by @JoshuaWilkes in #337

Full Changelog: v0.7.0...v0.7.1

v0.7.0

Thanks @vdesjardins for adding support for a custom template when generating profiles from SSO. Check out the docs here https://docs.commonfate.io/granted/usage/automatic-config-generation/#populate-command

Added the granted console command which allows you to generate urls or open the browser with existing credentials in the environment.

This was built for a use case where Granted can be programatically invoked to generate the console URL for a service when credentials are managed by a different application. See the example:

AWS_ACCESS_KEY_ID=example AWS_SECRET_ACCESS_KEY=example AWS_SESSION_TOKEN=example granted console --service cfn --region us-east-1 --url

What's Changed

• fix parenthese in url by @meyerjrr in #333
• generate and populate profile name with custom go template by @vdesjardins in #327
• Make sso generate/populate expected behaviour clearer by @connorads in #332
• added rotate command fixes #281 by @n3s7or in #326
• Improve first install launch questionnaire UX by @Eddie023 in #331
• Add granted console command by @JoshuaWilkes in #334
• if a profile has a session token, use it for the console by @JoshuaWilkes in #335

New Contributors

• @vdesjardins made their first contribution in #327
• @connorads made their first contribution in #332

Full Changelog: v0.6.1...v0.7.0

v0.6.1

Fixes a bug introduced in v0.6.0 where granted registry setup command was missing.

What's Changed

• Add missing registry setup cmd by @Eddie023 in #330

Full Changelog: v0.6.0...v0.6.1

v0.6.0

This release includes the updated implementation for Profile Registry based on community members feedback (thanks!). It now includes AWS profile templating for user specific values or arbitrary registry level variables 🎉
Please refer to the documents for full usage guide https://docs.commonfate.io/granted/usage/profile-registry

NOTE: If you are currently using Granted Profile Registry then you need to migrate by running the following command:

granted registry migrate

This will prompt you enter name for each registry you are subscribed to. After that you are good to go!

What's Changed

• CLI-88 Update Profile Registry Implementation by @Eddie023 in #317
• Better logging around waiting for the browser by @grantjoy in #321
• Use slash to separate account and role name in sso generate by @dserodio in #320
• Add command to list expiry status for all access token saved in the key ring by @n3s7or in #323

New Contributors

• @grantjoy made their first contribution in #321
• @n3s7or made their first contribution in #323

Full Changelog: v0.5.2...v0.6.0

v0.5.2

Configurable Firefox Container Color and Icon

Thanks @onebytegone for contributing an update that allows the color and icon of the Firefox container to be controlled in the AWS config file.

The color can be controlled using these optional fields in each profile config:

granted_color = red # blue, turquoise, green, yellow, orange, red, pink, purple
granted_icon = fruit # fingerprint, briefcase, dollar, cart, circle, gift, vacation, food, fruit, pet, tree, chill

Note

To use this feature you will need to update your granted-containers firefox extension to the latest version (v1.1.1)

Support sso-session Section in AWS Config File

Support for the new AWS SSO config format using an sso-session section has been added.

[profile example]
sso_session = example-sso
granted_sso_account_id = 123456789011
granted_sso_role_name  = AWSAdministratorAccess
region                 = ap-southeast-2
credential_process     = granted credential-process --profile example

[sso-session example-sso]
sso_region    = ap-southeast-2
sso_start_url = https://example.awsapps.com/start

What's Changed

• provide configured color and icon to granted-containers (#156) by @onebytegone in #315
• Support sso session configuration by @JoshuaWilkes in #319

Full Changelog: v0.5.1...v0.5.2

v0.5.1

What's Changed

• Added AWS services and aliases to assume by @J00MZ in #309
  • scrm: Secrets Manager
  • scrh: Security Hub
  • ses: SES
  • stepfn: Step Functions (states)
  • sns: SNS
  • tra: Trusted Advisor
• CLI-43 Throw error for mismatching profile in granted credential-process by @Eddie023 in #308
• Fix nil pointer error when using -sso on expired request by @meyerjrr in #311
• fix spelling in CONTRIBUTING.md by @onebytegone in #314

New Contributors

• @J00MZ made their first contribution in #309
• @onebytegone made their first contribution in #314

Full Changelog: v0.5.0...v0.5.1

v0.5.0

This release includes the support for Profile Registry feature as discussed in this RFD.

Profile Registries makes it easy to share AWS config files with the team members in consistent and efficient manner. It synchronizes from git repository to your default AWS config file located locally at ~/.aws/config.

You can get started here.

What's Changed

• Add security services to service map by @sbldevnet in #283
• Fix tiny typo in help and error message by @dserodio in #287
• replace grpc CLI version service with HTTPS one by @chrnorm in #286
• Refactor logging to use github.com/common-fate/clio package by @JoshuaWilkes in #292
• Use ini package for config file parsing by @JoshuaWilkes in #297
• CF-188 Add profile registry feature by @Eddie023 in #293
• CF-153 Add sanity check for granted-sso-start-url by @Eddie023 in #307

New Contributors

• @sbldevnet made their first contribution in #283
• @dserodio made their first contribution in #287

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Improved IAM user credential support

Read our guide on this feature here.

This release adds support for storing IAM user credentials in secure storage with Granted (#254).
Previously, if you were using an IAM user credentials with Granted, you'd need to store them in plaintext in ~/.aws/credentials. Now, running

granted credentials import <profile name>

will import the user credentials to your system's keychain and remove the plaintext.

A big thanks to @ipmb and @eugene1g for their feature request and feedback on the feature in #178.

As part of #254 we have migrated the name of the Keyring service which stores SSO tokens from granted to granted-aws-sso-tokens. We plan on using this suffix format to store different kinds of credentials in secure storage. When storing AWS IAM user credentials, Granted uses granted-aws-iam-credentials as the Keyring service name.

Because of this change, when upgrading to v0.4.0 you may see a keychain prompt on MacOS similar to the below. You will also need to authenticate again to AWS SSO after upgrading.

New AWS service shortcuts

This release adds additional shortcuts for networking services on AWS.

assume -s vpc # opens a console to the VPC service
assume -s dx  # opens a console to the AWS Direct Connect service

A big thanks to @networkprogrammer for contributing these shortcuts.

What's Changed

• update wording of SSO command by @chrnorm in #278
• Update assumer_aws_sso.go by @jordiup in #276
• Added vpc and directconnect services by @networkprogrammer in #279
• granted credentials commands for securely storing IAM user credentials by @meyerjrr in #254
• fix Go syntax errors by @chrnorm in #282

New Contributors

• @networkprogrammer made their first contribution in #279

Full Changelog: v0.3.1...v0.4.0

v0.3.1

Fixes a regression introduced in v0.3.0 where SSO flows no longer worked on linux and Windows.

What's Changed

• use xdg-open on linux rather than open by @chrnorm in #268
• Revert to using browser.OpenURL for SSO flow default by @JoshuaWilkes in #269

Full Changelog: v0.3.0...v0.3.1