Bug fix & code polishing release

This release addresses the following issues:

• Roles are now invalidated/not invalidated correctly.
• Display for the cross-account roles is now accurate.
• An indicator has been added to the cross-account role (the roles that can be identified as cross-account roles are prefixed with [x-account])
• Issues with MFA support for the cross-account roles have been fixed (MFA support is now always available for the cross-account roles unless explicitly advertised via SSM as not required)
• Invalid configuration including invalid role ARNs are now handled and reported correctly.
• The documentation has been updated to reflect the available SSM-advertising of x-accn role details.

Aggregated SSM lookups region

A minor release to change the default setting for the SSM lookups. Instead of relying on the profile-specific region definitions, the default now is to use the aggregate regions set by MFA_SESSION_LENGTH_LOOKUP_REGION_OVERRIDE and XACCN_ROLE_PROPERTY_LOOKUP_REGION_OVERRIDE. The reasons for this change are:

• The IAM accounts are global while the SSM is region-specific. So, unless you're intentionally restricting the access of the IAM users to a specific region in your AWS account, it makes sense to consolidate the information to one region for easier maintainability.

• The region is an optional property for profiles. Even though many aws commands require it, a profile in itself is considered valid even without a region. The default aggregate region definitions ensure that the SSM lookups will always work.

However, you may want to disable the aggregate SSM lookup regions in case you intentionally restrict the IAM users into specific regions, or if you're using this script in multi-org setting where you can't control which region(s) the MFA and role information is advertised in (in such cases the lookups should rely on the region of each baseprofile).

Cross-account roles support

This release introduces full support for the cross-account roles, including cross-account roles which require MFA to be present. SQL output for embedding into AWS-operations (such as with Redshift) was added. Some visual improvements were made, especially the presentation of the baseprofile to role relationship is now more logical. Finally, a number of bugs were fixed.

Hotfix release

The paths for the OS-differentiated/specific commands (some occurrences of sed and all occurrences of date) were hardcoded to force the OS-specific version. This affected macOS systems where Gnu utils (coreutils and/or gnu-sed) had been installed and given a higher priority than the BSD equivalents of these commands.

Bug fix & code polishing release

This release fixes a number of minor issues discovered since release 2.5.0. These include:

• Substituted all occurrences of echo with printf for more reliable output across the platforms.
• Added support for AWS_DEFAULT_PROFILE; it's the officially supported profile selector for awscli although recent versions also support AWS_PROFILE which this script already supported previously.
• Improved support for delegated roles. With delegated roles, the source_profile does not point to the account the role operates in.
• Removed trailing spaces from all scripts.
• Fixed a non-display condition when the user has one profile and one role configured.
• Fixed the logic for the invalid_as_of tags.
• Stubs for role profiles are now never created in the credentials files (since roles never have credentials, only role sessions do).
• sessmax operational and guidance clarifications in various conditions (increasing and decreasing session length with and without SSM-advertised length, and with and without existing sessmax parameter).
• Better handling of incorrectly configured source_profile for roles.
• Various typo fixes and syntactical corrections.
• Synced shared functions between awscli-mfa.sh and enable-disable-vmfa-device.sh.

Production release

This release is a stable production release.

Included are minor corrections, fixes, and enhancements. The bug fixes mainly affect the script use in the WSL bash environment, while the enhancements add the additional guards for edge-cases and provide some additional information in the UI.

• source-this-to-clear-AWS-envvars.sh wasn't displaying effective parameters correctly. This was due to bash/zsh difference and has been fixed.
• Since source-this-to-clear-AWS-envvars.sh is to be sourced and currently operates in the global namespace, its local variables were namespaced. In the future, the operation may be wrapped in a function with local vars while the global environment effect is then applied at the end of the script.
• In WSL bash the presence of wslpath command is now checked for. It was introduced in Windows 10 build 17046. If the required command is not present, the script now exists and prompts the user to bring Windows patches to current.
• The IAM name and the account ID/alias are now displayed for the selected profile in the quick mode.
• awscli-mfa.sh and source-this-to-clear-AWS-envvars.sh now have AWS API reachability check; if the API is not reachable, the script exits with an error message, thus preventing the profiles from being marked "invalid" when the connectivity is unavailable.
• BUGFIX: the acquired mfa/role session region and output format were not persisted (a regression bug)

Bugfix release

Bug fix release.

• Various edge case bugs fixed, including '--profile' / 'AWS_PROFILE=' precedence issue, invalid role session detection, and missing explicit envvar anchors issue.
• Monochrome mode added for terminals which have difficulty displaying color attributes in a somewhat visible way.

Dynamic session length lookup & automatic vMFA Arn add/remove + lots of other improvements and fixes

This is a stable release and includes a number of improvements:

• vMFA Arn is now automatically added to and removed from the config when a vMFA is added to/removed from the profile so that the profile is instantly usable also in the quick mode
• Dynamic session length lookup from SSM Parameter Store parameter
• Script version check
• Semantic versioning comparison works now
• Updated example IAM policies
• Removed SMS MFA support (AWS discontinued it)
• source-this-to-clear-AWS-envvars.sh was rewritten to be more informative
• A large number of edge-case bug fixes
• A large number of output clarifications and formatting improvements

Root MFA session support; JIT selected profile check (quick mode); bug fixes

This release fixes some edge-case bugs and adds support for AWS root account MFA profiles. The selected base/root profile is also now validated upon selection in quick mode.

Companion script update

In addition to minor, mostly cosmetic fixes to awscli-mfa.sh, this release introduces the fully rewritten enable-disable-vmfa-device.sh script. It follows the same patterns as the awscli-mfa.sh rewrite, the most important items are:

• default profile is not required
• The new session expiration pattern is observed (this change in awscli-mfa.sh broke the old version of enable-disable-vmfa-device.sh and prompted this rewrite)
• Roles are ignored (the old version of awscli-mfa.sh did not support roles, and so the presence of role profiles wasn't an issue previously; now they are properly handled)
• Windows Subsystem for Linux bash support
• seed string based vMFA setup (using Authy app) for Linux workstations without a GUI
• better visual representation