feat: phase auth aws iam (#262)

* refactor: rename get_default_user_id to get_default_account_id and add deprecation notice

- Renamed the function `get_default_user_id` to `get_default_account_id` for clarity and to better reflect its purpose.
- Updated the function's docstring to indicate it now handles both user accounts and service accounts.
- Added a deprecated version of `get_default_user_id` that calls the new function for backward compatibility.

* refactor: update keyring service name to use account ID

- Replaced the usage of `get_default_user_id` with `get_default_account_id` in the keyring service name generation for improved clarity and consistency with recent changes.

* fix: handle missing email for default user in whoami command

- Updated the whoami command to display 'N/A (Service Account)' if the default user's email is not available, improving clarity for service accounts.
- Renamed 'User ID' to 'Account ID' for consistency with recent changes.

* refactor: update user switch functionality for consistency

- Changed terminology from 'User ID' to 'Account ID' for clarity.
- Updated email handling to display 'Service Account' when applicable.
- Adjusted prompts and error messages to reflect the new account terminology.

* refactor: replace user ID references with account ID in logout functionality

- Updated the logout functionality to use `get_default_account_id` instead of `get_default_user_id` for consistency with recent changes.
- Adjusted keyring password deletion and configuration updates to reflect the new account terminology.

* refactor: remove unused user ID reference in import_env.py

- Eliminated the import of `get_default_user_id` from `phase_cli.utils.misc` as it is no longer needed, streamlining the code for better clarity and consistency.

* refactor: enhance token-based authentication flow

- Updated the authentication process to support both Personal Access Tokens (PATs) and Service Account Tokens, improving flexibility.
- Introduced checks for the PHASE_HOST environment variable to allow headless operation.
- Replaced user ID references with account ID for consistency across the authentication flow.
- Enhanced error handling and user prompts to accommodate service accounts and ensure clarity in user interactions.

* refactor: enhance authentication flow for Personal Access Tokens

- Added support for Personal Access Tokens (PATs) by prompting for user email when a PAT is detected.
- Improved handling of unknown token formats to ensure user email is requested for clarity and safety.
- Streamlined the authentication process to accommodate both PATs and Service Account Tokens.

* chore(deps): add boto3 and botocore dependencies

- Added boto3 and botocore to requirements.txt to support AWS service integration.
- Specified minimum versions for both libraries to ensure compatibility.

* feat(auth): implement web-based and token-based authentication

- Introduced a new authentication module with support for web-based and token-based authentication methods.
- Added an HTTP server to handle authentication requests and process user credentials securely.
- Enhanced user experience by providing clear prompts for both Personal Access Tokens and AWS IAM credentials.
- Integrated error handling and logging for improved feedback during the authentication process.

* refactor: remove print_phase_links function from misc.py

- Eliminated the print_phase_links function to streamline the codebase and improve clarity.
- This function was previously responsible for displaying a welcome message and links to community resources.

* feat(auth): add AWS IAM authentication module

- Introduced a new module for AWS IAM authentication, enabling integration with Phase API.
- Implemented functions to sign requests and authenticate using AWS credentials.
- Added support for custom STS endpoints and region resolution.
- Enhanced error handling for missing AWS credentials and authentication failures.

* feat(auth): enhance authentication options with AWS IAM support

- Updated the authentication command to include AWS IAM as a mode of authentication.
- Added a new argument for Service Account ID, required when using AWS IAM mode.
- Adjusted the phase_auth function call to accommodate the new service_account_id parameter.

* chore(deps): update botocore version in requirements.txt

- Changed the minimum version of botocore to 1.40.17 for improved compatibility with AWS services.
- Removed the specific version constraint for boto3 to allow for more flexibility in dependency resolution.

* refactor(auth): streamline AWS session handling in authentication module

- Replaced boto3 session initialization with botocore's get_session for improved compatibility and flexibility.
- Enhanced region resolution by incorporating environment variable support for AWS_DEFAULT_REGION.
- Updated credential retrieval to ensure consistent handling of AWS credentials across the authentication process.

* refactor(auth): simplify region and endpoint resolution in AWS authentication

- Refactored the `resolve_region_and_endpoint` function to eliminate unnecessary parameters and improve clarity.
- Integrated botocore's `Config` for better handling of AWS region detection.
- Removed the custom STS endpoint parameter from the `perform_aws_iam_auth` function to streamline the authentication process.

* feat(auth): add optional TTL parameter for AWS IAM authentication

- Updated the `phase_auth` function to include an optional `ttl` parameter for specifying token time-to-live in seconds when using AWS IAM mode.
- Adjusted the call to `perform_aws_iam_auth` to pass the new `ttl` argument, enhancing flexibility in token management.

* refactor(logout): replace print statements with rich console output

- Updated the logout functionality to use the rich console for better error handling and user feedback.
- Enhanced messages for logging out, purging data, and configuration errors to improve clarity and user experience.

* feat(auth): update authentication command to support external identities and TTL

- Modified the `auth` command to include a new argument for Service Account ID, clarifying its use for external identities.
- Added an optional `ttl` parameter for specifying token time-to-live, enhancing flexibility in token management during authentication.
- Updated the `phase_auth` function call to accommodate the new `ttl` argument.

* feat(auth): add no-login option to phase_auth function

- Introduced a new `no_login` parameter to the `phase_auth` function, allowing users to bypass the login process and print raw AWS IAM authentication results directly.
- Updated the function's logic to handle the new parameter, enhancing flexibility for users who may want to view authentication results without logging in.

* feat(auth): enhance authentication command with no-login option

- Added a `--no-login` argument to the authentication command, allowing users to print authentication tokens directly to stdout without logging in, specifically for external identity modes like aws-iam.
- Updated the `phase_auth` function call to incorporate the new `no_login` parameter, improving user experience and flexibility in authentication processes.

* chore: bump version to 1.20.0 in APKBUILD and const.py

* feat(auth): rename no-login option to no-store for clarity

- Updated the `--no-login` argument to `--no-store` in the authentication command, clarifying its purpose to print authentication token responses without storing credentials.
- Adjusted the `phase_auth` function to reflect this change, enhancing the user experience and understanding of the authentication process.

* chore: reset changes from bad rebase

* feat: use consistent routing pattern

* chore: remove phase cloud / self-hosted host switcher

* feat: add AWS IAM authentication support to Phase API

- Introduced a new function `external_identity_auth_aws` for authenticating with Phase using AWS IAM credentials.
- Added a utility function `b64_str` for Base64 encoding strings, used in the authentication payload.
- Enhanced error handling for SSL and connection errors during the authentication process.

* refactor: streamline AWS IAM authentication flow

- Removed the `authenticate_with_phase` function and replaced it with `external_identity_auth_aws` for improved clarity and modularity.
- Updated parameter names in `perform_aws_iam_auth` for consistency.
- Simplified the authentication process by leveraging the new utility function for AWS IAM credentials.

* fix: update parameter naming in AWS IAM authentication call

- Changed the parameter name in the `perform_aws_iam_auth` function call for clarity and consistency, aligning with recent refactoring efforts.

* chore: bump version to 1.21.0 in APKBUILD and const.py

* fix: remove unused import of PHASE_CLOUD_PUBLIC_API_HOST from misc.py

* feat: add AWS configuration constants for STS endpoint and region

- Introduced AWS_DEFAULT_GLOBAL_STS_ENDPOINT and AWS_DEFAULT_GLOBAL_STS_REGION constants to facilitate AWS service integration.
- Updated PHASE_CLOUD_API_HOST for clarity in configuration management.

* refactor: replace hardcoded STS endpoint and region with constants

- Updated the `resolve_region_and_endpoint` function to utilize the newly introduced `AWS_DEFAULT_GLOBAL_STS_ENDPOINT` and `AWS_DEFAULT_GLOBAL_STS_REGION` constants for improved maintainability and clarity.

* fix: update AWS IAM authentication URL for external identities

- Changed the endpoint in the `external_identity_auth_aws` function to reflect the correct routing for external identity authentication with AWS IAM.

* fix: add trailing slash

Signed-off-by: rohan <[email protected]>

* fix: ensure CLI exits successfully with no arguments

- Added a check to display top-level help and exit with code 0 when no arguments are provided to the CLI.
- This serves as a temporary fix to improve user experience.

* fix: improve error handling in phase_auth function

- Updated the phase_auth function to exit with code 2 when required parameters are missing or invalid, enhancing user experience and preventing further execution in error scenarios.

---------

Signed-off-by: rohan <[email protected]>
Co-authored-by: rohan <[email protected]>

Author: nimish-ks

APKBUILD

@@ -1,6 +1,6 @@
 # Maintainer: Phase <[email protected]>
 pkgname=phase
-pkgver=1.20.0
+pkgver=1.21.0
 pkgrel=0
 pkgdesc="Phase CLI"
 url="https://phase.dev"

phase_cli/cmd/auth/__init__.py

@@ -10,10 +10,11 @@
 import base64
 import time, random
 import questionary
-from phase_cli.utils.misc import open_browser, validate_url, print_phase_links
+from phase_cli.utils.misc import open_browser, validate_url
 from phase_cli.utils.crypto import CryptoUtils
 from phase_cli.utils.phase_io import Phase
 from phase_cli.utils.const import PHASE_SECRETS_DIR, PHASE_CLOUD_API_HOST
+from phase_cli.cmd.auth.aws import perform_aws_iam_auth
 from rich.console import Console
 
 class SimpleHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
@@ -93,9 +94,9 @@ def do_POST(self):
     return httpd
 
 
-def phase_auth(mode="webauth"):
+def phase_auth(mode="webauth", service_account_id=None, ttl=None, no_store=False):
     """
-    Handles authentication for the Phase CLI using either web-based or token-based authentication.
+    Handles authentication for the Phase CLI using web-based, token-based, or AWS IAM authentication.
 
     If a user is already authenticated, the function will notify the user of their logged-in status and provide instructions for logging out and logging back in.
 
@@ -114,8 +115,16 @@ def phase_auth(mode="webauth"):
         - Asks the user for their email and personal access token.
         - Validates the credentials and writes them to the keyring.
 
+    For aws-iam:
+        - Uses AWS IAM credentials to authenticate with Phase.
+        - Requires a service account ID to be provided.
+        - Signs an AWS STS GetCallerIdentity request and sends it to Phase for verification.
+        - Receives a Phase token in response and stores it in the keyring.
+
     Args:
-        - mode (str): The mode of authentication to use. Default is "webauth". Can be either "webauth" or "token".
+        - mode (str): The mode of authentication to use. Default is "webauth". Can be either "webauth", "token", or "aws-iam".
+        - service_account_id (str): Required for aws-iam mode. The service account ID to authenticate with.
+        - ttl (int): Optional for aws-iam mode. Token TTL in seconds.
 
     Returns:
         None
@@ -125,8 +134,66 @@ def phase_auth(mode="webauth"):
 
     server = None
     try:
-        # Choose the authentication mode: webauth (default) or token-based.
-        if mode == 'token':
+        # Choose the authentication mode: webauth (default), token-based, or aws-iam.
+        if mode == 'aws-iam':
+            # AWS IAM authentication
+            if not service_account_id:
+                console.log("Error: --service-account-id is required when using --mode aws-iam")
+                sys.exit(2)
+            
+            # Check if PHASE_HOST environment variable is set for headless operation
+            PHASE_API_HOST = os.getenv("PHASE_HOST")
+            
+            if PHASE_API_HOST:
+                console.log(f"Using PHASE_HOST environment variable: {PHASE_API_HOST}")
+            else:
+                # Interactive mode: ask user to choose instance type
+                phase_instance_type = questionary.select(
+                    'Choose your Phase instance type:',
+                    choices=['☁️  Phase Cloud', '🛠️  Self Hosted']
+                ).ask()
+
+                if not phase_instance_type:
+                    console.log("\nExiting phase...")
+                    return
+
+                if phase_instance_type == '🛠️  Self Hosted':
+                    PHASE_API_HOST = questionary.text("Please enter your host (URL eg. https://example.com/path):").ask()
+                    if not PHASE_API_HOST:
+                        console.log("\nExiting phase...")
+                        return
+                else:
+                    PHASE_API_HOST = PHASE_CLOUD_API_HOST
+
+            # Perform AWS IAM authentication
+            try:
+                console.log("Authenticating with AWS IAM credentials...")
+                aws_result = perform_aws_iam_auth(host=PHASE_API_HOST, service_account_id=service_account_id, ttl=ttl)
+                
+                # Extract the token from the AWS auth response
+                auth_data = aws_result.get("authentication", {})
+                auth_token = auth_data.get("token")
+                
+                if not auth_token:
+                    raise ValueError("No token received from AWS IAM authentication")
+                
+                console.log("AWS IAM authentication successful")
+                
+                # If user requested no-store, print raw result and exit early
+                if no_store:
+                    print(json.dumps(aws_result, indent=4))
+                    return
+                
+                # Validate the token with Phase API by initializing Phase client
+                phase = Phase(init=False, pss=auth_token, host=PHASE_API_HOST)
+                result = phase.auth()
+                user_email = None  # Service accounts don't have emails
+                
+            except Exception as e:
+                console.log(f"AWS IAM authentication failed: {e}")
+                return
+            
+        elif mode == 'token':
             # Manual token-based authentication
             # Check if PHASE_HOST environment variable is set for headless operation
             PHASE_API_HOST = os.getenv("PHASE_HOST")
@@ -148,6 +215,7 @@ def phase_auth(mode="webauth"):
                     PHASE_API_HOST = questionary.text("Please enter your host (URL eg. https://example.com/path):").ask()
                     if not PHASE_API_HOST:
                         console.log("\nExiting phase...")
+                        sys.exit(2)
                         return
                 else:
                     PHASE_API_HOST = PHASE_CLOUD_API_HOST
@@ -206,6 +274,7 @@ def phase_auth(mode="webauth"):
 
             if not validate_url(PHASE_API_HOST):
                 console.log("Invalid URL. Please ensure you include the scheme (e.g., https) and domain. Keep in mind, path and port are optional.")
+                sys.exit(2)
                 return
 
             # Start an HTTP web server at a random port and spin up the keys.
@@ -306,11 +375,9 @@ def phase_auth(mode="webauth"):
                 json.dump(config_data, f, indent=4)
 
             if token_saved_in_keyring:
-                print("\033[1;32m✅ Authentication successful.\033[0m")
+                console.print("[bold green]✅ Authentication successful.[/bold green]")
             else:
-                print("\033[1;32m✅ Authentication successful.\033[0m")
-            print("\033[1;36m🎉 Welcome to Phase CLI!\033[0m\n")
-            print_phase_links()
+                console.print("[bold green]✅ Authentication successful.[/bold green]")
 
         else:
             console.log("Failed to authenticate with the provided credentials.")
@@ -321,4 +388,4 @@ def phase_auth(mode="webauth"):
         sys.exit(1)
     finally:
         if server:
-            server.shutdown()
+            server.shutdown()

phase_cli/cmd/auth.py renamed to phase_cli/cmd/auth/auth.py

@@ -0,0 +1,68 @@
+from botocore.awsrequest import AWSRequest
+from botocore.auth import SigV4Auth
+from botocore.credentials import get_credentials
+from botocore.session import get_session
+from botocore.config import Config
+from phase_cli.utils.network import external_identity_auth_aws
+from phase_cli.utils.const import AWS_DEFAULT_GLOBAL_STS_REGION, AWS_DEFAULT_GLOBAL_STS_ENDPOINT
+
+
+def resolve_region_and_endpoint() -> tuple[str, str]:
+    session = get_session()
+    aws_region = session.get_config_variable('region')
+    if not aws_region:
+        try:
+            client_config = Config(region_name=None)
+            session.create_client('sts', config=client_config)
+            aws_region = session.get_config_variable('region')
+        except Exception:
+            pass
+
+    if aws_region:
+        return aws_region, f"https://sts.{aws_region}.amazonaws.com"
+
+    # Fallback to legacy global endpoint, sign with us-east-1
+    return AWS_DEFAULT_GLOBAL_STS_REGION, AWS_DEFAULT_GLOBAL_STS_ENDPOINT
+
+
+def sign_get_caller_identity(region: str, endpoint: str, method: str = "POST") -> tuple[str, dict, str]:
+    """
+    Returns (signed_url, signed_headers, body) for GetCallerIdentity.
+    Uses header-based SigV4 (includes X-Amz-Date header).
+    """
+    # STS Query API (Action=GetCallerIdentity&Version=2011-06-15)
+    body = "Action=GetCallerIdentity&Version=2011-06-15"
+    headers = {"Content-Type": "application/x-www-form-urlencoded; charset=utf-8"}
+
+    session = get_session()
+    creds = session.get_credentials()
+    if creds is None:
+        raise SystemExit("No AWS credentials found. On EC2, attach an instance profile or set AWS_* env vars.")
+
+    frozen = creds.get_frozen_credentials()
+    req = AWSRequest(method=method, url=endpoint, data=body, headers=headers)
+    SigV4Auth(frozen, "sts", region).add_auth(req)
+    prepared = req.prepare()
+
+    signed_url = prepared.url
+    signed_headers = dict(prepared.headers.items())
+    return signed_url, signed_headers, body
+
+
+def perform_aws_iam_auth(host: str, service_account_id: str, ttl: int | None = None, method: str = "POST"):
+    """
+    Perform complete AWS IAM authentication flow with Phase.
+    
+    Args:
+        host: Phase API base URL
+        service_account_id: Service Account ID to authenticate (UUID)
+        ttl: Requested token TTL in seconds (optional)
+        method: HTTP method to sign (default: POST)
+    
+    Returns:
+        dict: Authentication response from Phase API containing token
+    """
+    region, endpoint = resolve_region_and_endpoint()
+    signed = sign_get_caller_identity(region=region, endpoint=endpoint, method=method)
+    result = external_identity_auth_aws(host, service_account_id, ttl, signed, method=method)
+    return result

phase_cli/cmd/auth/aws.py

@@ -5,7 +5,9 @@
 import keyring
 from phase_cli.utils.const import PHASE_SECRETS_DIR, CONFIG_FILE
 from phase_cli.utils.misc import get_default_account_id
+from rich.console import Console
 
+console = Console(stderr=True)
 def save_config(config_data):
     """Saves the updated configuration data to the config file."""
     with open(CONFIG_FILE, 'w') as f:
@@ -24,16 +26,16 @@ def phase_cli_logout(purge=False):
             # Delete PHASE_SECRETS_DIR if it exists
             if os.path.exists(PHASE_SECRETS_DIR):
                 shutil.rmtree(PHASE_SECRETS_DIR)
-                print("Logged out and purged all local data.")
+                console.print("Logged out and purged all local data.")
             else:
-                print("No local data found to purge.")
+                console.print("No local data found to purge.")
         except ValueError as e:
-            print(e)
+            console.log(f"Error: {e}")
             sys.exit(1)
     else:
         # Load the existing config to update it
         if not os.path.exists(config_file_path):
-            print("No configuration found. Please run 'phase auth' to set up your configuration.")
+            console.log("Error: No configuration found. Please run 'phase auth' to set up your configuration.")
             sys.exit(1)
 
         with open(config_file_path, 'r') as f:
@@ -53,6 +55,6 @@ def phase_cli_logout(purge=False):
                 config_data['default-user'] = config_data['phase-users'][0]['id']
 
             save_config(config_data)
-            print("Logged out successfully.")
+            console.print("Logged out successfully.")
         else:
-            print("No default user in configuration found. Please run 'phase auth' to set up your configuration.")
+            console.log("Error: No default user in configuration found. Please run 'phase auth' to set up your configuration.")

phase_cli/cmd/users/logout.py

@@ -14,7 +14,7 @@
 from phase_cli.cmd.run import phase_run_inject
 from phase_cli.cmd.shell import phase_shell
 from phase_cli.cmd.init import phase_init
-from phase_cli.cmd.auth import phase_auth
+from phase_cli.cmd.auth.auth import phase_auth
 from phase_cli.cmd.secrets.list import phase_list_secrets
 from phase_cli.cmd.secrets.get import phase_secrets_get
 from phase_cli.cmd.secrets.export import phase_secrets_env_export
@@ -107,7 +107,10 @@ def main ():
 
         # Auth command
         auth_parser = subparsers.add_parser('auth', help='💻 Authenticate with Phase')
-        auth_parser.add_argument('--mode', choices=['token', 'webauth'], default='webauth', help='Mode of authentication. Default: webauth')
+        auth_parser.add_argument('--mode', choices=['token', 'webauth', 'aws-iam'], default='webauth', help='Mode of authentication. Default: webauth')
+        auth_parser.add_argument('--service-account-id', type=str, help='Service Account ID for when using external identities for authentication.')
+        auth_parser.add_argument('--ttl', type=int, help='Token TTL in seconds for tokens created using external identities.')
+        auth_parser.add_argument('--no-store', action='store_true', help='For external identity modes (e.g., aws-iam): print authentication token response to stdout without storing credentials or setting a default user.')
 
         # Init command
         init_parser = subparsers.add_parser('init', help='🔗 Link your project with your Phase app')
@@ -359,10 +362,18 @@ def main ():
         if sys.platform == "linux":
             update_parser = subparsers.add_parser('update', help='🆙 Update the Phase CLI to the latest version')
 
+        # If no arguments are provided, show top-level help and exit successfully (code 0)
+        # TODO: This is a temporary fix to ensure the CLI exits successfully when no arguments are provided.
+        if len(sys.argv) == 1:
+            print(description)
+            print(phaseASCii)
+            parser.print_help()
+            sys.exit(0)
+
         args = parser.parse_args()
 
         if args.command == 'auth':
-            phase_auth(args.mode)
+            phase_auth(args.mode, service_account_id=args.service_account_id, ttl=args.ttl, no_store=args.no_store)
             sys.exit(0)
         elif args.command == 'init':
             phase_init()

phase_cli/main.py

@@ -1,7 +1,7 @@
 import os
 import re
 
-__version__ = "1.20.0"
+__version__ = "1.21.0"
 __ph_version__ = "v1"
 
 description = (
@@ -33,8 +33,12 @@
     PHASE_SECRETS_DIR, "config.json"
 )  # Holds local user account configurations
 
+
 PHASE_CLOUD_API_HOST = "https://console.phase.dev"
-PHASE_CLOUD_PUBLIC_API_HOST = "https://api.phase.dev"
+
+# AWS Config
+AWS_DEFAULT_GLOBAL_STS_ENDPOINT = "https://sts.amazonaws.com"
+AWS_DEFAULT_GLOBAL_STS_REGION = "us-east-1"
 
 pss_user_pattern = re.compile(
     r"^pss_user:v(\d+):([a-fA-F0-9]{64}):([a-fA-F0-9]{64}):([a-fA-F0-9]{64}):([a-fA-F0-9]{64})$"