All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog. This project adheres to Semantic Versioning with the exception of version 0 as we find our footing. Only changes to the application should be logged here. Repository maintenance, tests, and other non application changes should be excluded.
Notes for upgrading...
Version 0.8.0 adds support for Firefox containers, support for Windows Command Prompt and PowerShell, and improved shell history support when dropping into sub-shells (the kion stak command). Firefox container support adds the ability to federate into multiple AWS accounts at the same time for more advanced workflows. Note that Firefox container support requires the Open external links in a container add-on as well as an update to your ~/.kion.yml configuration file. See the repo README.md for more details. A big thank you to @joraff and @mjburling for help with development and testing!
- Added support for Firefox containers [/pull/72]
- Added support for Windows Command Prompt and PowerShell [/pull/72]
- Configured subshells to pull and set
HISTFILEin zsh [/pull/70]
- Exit non-zero if an error is encountered [/pull/65]
Version 0.7.0 adds flag support to console federation, addresses a bug that presented when using paths with AWS IAM roles, and adds a method for keeping your Kion password in encrypted storage (eg the system keyring).
- Added support for flags (account alias/number and car) to console federation [/pull/61]
- Added support for storing login password in encrypted storage [/pull/53]
- Console federation bug when using AWS IAM roles containing a path [/pull/60]
Version 0.6.0 adds support for account aliases coming in Kion 3.9.9 and 3.10.2. Account aliases are globally unique user defined identifiers for accounts stored in Kion. Aliases can be used with the stak and run commands instead of specifying account numbers.
- Added support for account aliases [/pull/51]
This release changes how caching is handled for Gnome users. After upgrading a new empty cache in the default login keyring will be used. The old kion-cli keyring can be safely removed.
- Updated keyring config for Gnome Wallet (libsecret) to use the default
loginkeyring [/pull/49]
- Patched the package
github.com/dvsekhvalnov/jose2goto version 1.6.0 to address Dependabot security findings [/pull/48]
SAML Authentication is now supported for Kion versions < 3.8.0. No additional configuration is required for use, see README.md for details on SAML authentication with the CLI.
- A new version constraint will switch between SAML authentication behaviors based on the target Kion version. [/pull/46]
You can now use Kion CLI with multiple instances of Kion through the use of configuration profiles or by pointing to alternate configuration files. Here are some usage examples:
# point to another configuration file
KION_CONFIG=~/.kion.development.yml kion stak
# use a 'development' profile within your ~/.kion.yml configuration file
kion --profile development fav sandboxA configuration file for the profile usage example above would look something like this:
# default profile if none specified
kion:
url: https://kion.mycompany.com
api_key: "app_123"
favorites:
- name: production
account: "232323232323"
cloud_access_role: ReadOnly
# alternate profiles called with the global `--profile [name]` flag
profiles:
development:
kion:
url: https://dev.kion.mycompany.com
api_key: "app_abc"
favorites:
- name: sandbox
account: "121212121212"
cloud_access_role: Admin- Users can now set a custom config file with the
KION_CONFIGenvironment variable [/pull/42] - Users can define profiles to use Kion CLI with multiple Kion instances [/pull/42]
- Created a
utilcommand andflush-cachesubcommand to flush the cache [/pull/42]
- Corrected an issue where the Kion CLI configuration file was not actually optional [/pull/42]
- Federating into the web console is now handled without iframes or javascript [/pull/40]
Caching and AWS credential_process support has been added to the Kion CLI! See the AWS docs HERE for more information as well as the README.md document in this repo for examples on how to use Kion CLI as a credential provider.
Kion CLI will now use cached STAKs by default to improve performance and reduce the number of calls to Kion. STAKs will be considered as valid for 15 minutes unless Kion reports back a longer STAK duration. Note that Kion is expected to start returning the duration of a STAK along with the STAK itself starting on versions 3.6.29, 3.7.19, 3.8.13, and 3.9.5.
The cache will be stored in the system's keychain, and depending on your operating system, you may be prompted to allow Kion CLI to access the cache entry on your first run.
Cached STAKs will be used by default unless:
- Caching is disabled via the
--disable-cacheglobal flag - Caching is disabled in the
~/.kion.ymlconfiguration file by settingkion.disable_cache: true - The credential has less than 5 seconds left and Kion CLI is being used as an AWS credential provider
- The credential has less than 5 seconds left and Kion CLI is being used to run an ad hoc command
- The credential has less than 5 minutes left and Kion CLI is being used to print keys
- The credential has less than 5 minutes left and Kion CLI is being used to create an authenticated subshell
- The credential has less than 10 minutes left and Kion CLI is being used to create an AWS configuration profile
Lastly, the following environment variables will no longer be set when using the run command to execute ad hoc commands:
KION_ACCOUNT_NUM
KION_ACCOUNT_ALIAS
KION_CAR- Support to use Kion CLI as a credential process subsystem for AWS profiles [/pull/38]
- Add caching for faster operations [/pull/38]
- SAML tokens are now cached for 9.5 minutes [/pull/39]
- Kion session data has moved from the
~/.kion.ymlconfiguration file to the cache [/pull/39]
KION_*env variables removed from subshell environments when using theruncommand [/pull/38]
- Corrected version number when running
--versionflag [/pull/36]
- Print metadata to stdout when federating into web consoles [/pull/20]
- Add flags to support headless runs [/pull/22]
- Fallback logic for users with restricted perms when using the
runcmd [/pull/22] - Logic to accommodate users with cloud access only permissions [/pull/24]
- STAK selection wizard now includes project and car IDs and account numbers [/pull/24]
- Automate AWS logout before federating into the AWS console [/pull/25]
- Support defining region on favorites or via flag [/pull/26]
- Support for old
ctkeyusage by adding compatibility commands [/pull/28] - Ability to save short-term access keys to an AWS credentials profile [/pull/28]
- Add support for windows when printing STAKs for export [/pull/28]
- Renamed
access_typevalues for clarity [/pull/11] - Improve logic around web federation [/pull/21]
- Dynamically output account name info if available [/pull/22]
- Fix unexpected EOF when creating Bash subshells [/pull/14]
- Improve CAR selection logic and usage wording [/pull/19]
- Fix SAML auth around private network access checks [/pull/23]
- Fixed automated logouts of AWS console sessions on Firefox [/pull/31]
- Web console access! [/pull/10]
- Add workaround for users with
Browse Project - Minimalpermissions [/pull/8] - Ensure STAK output can be eval'd [/pull/1]
Initial release.