go-aws-azure-login

command module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2026 License: MIT Imports: 24 Imported by: 0

README

go-aws-azure-login

A command-line tool for logging into AWS using Azure Active Directory SSO authentication.

Note: This is a fork of luneo7/go-aws-azure-login.

Overview

If your organization uses Azure Active Directory for SSO login to the AWS console, this tool lets you authenticate from the command line. It handles the full Azure AD login flow (including MFA) and stores temporary AWS credentials for use with the AWS CLI and SDKs.

Installation

Download the binary from the releases page, or build from source:

go install github.com/ZhuMon/go-aws-azure-login@latest

Quick Start

  1. Configure a profile:

    go-aws-azure-login configure

  2. Log in:

    go-aws-azure-login

  3. Use AWS CLI as usual:

    aws s3 ls

Configuration

Basic Setup

Run the configuration wizard:

# Configure the default profile
go-aws-azure-login configure

# Configure a named profile
go-aws-azure-login configure -p myprofile

You'll need:

  • Azure Tenant ID - Your organization's Azure AD tenant identifier
  • App ID URI - The application ID URI for the AWS app in Azure AD

See Getting Your Tenant ID and App ID URI for help finding these values.

Environment Variables

You can set these environment variables to skip prompts:

Variable Description
AZURE_TENANT_ID Azure AD tenant ID
AZURE_APP_ID_URI Application ID URI
AZURE_DEFAULT_USERNAME Login username
AZURE_DEFAULT_PASSWORD Login password
AZURE_DEFAULT_ROLE_ARN AWS role ARN to assume
AZURE_DEFAULT_DURATION_HOURS Session duration in hours

For Okta federated logins (untested):

Variable Description
OKTA_DEFAULT_USERNAME Okta username (if different from Azure)
OKTA_DEFAULT_PASSWORD Okta password (if different from Azure)

Note: Okta federation support is untested in this fork.

Security tip: Use HISTCONTROL=ignoreboth and prefix commands with a space to avoid storing passwords in shell history:

HISTCONTROL=ignoreboth
 export AZURE_DEFAULT_PASSWORD=mypassword  # Note the leading space
go-aws-azure-login -no-prompt
Stay Logged In

During configuration, you can enable session persistence:

? Stay logged in: skip authentication while refreshing aws credentials (true|false)

When enabled, subsequent logins reuse session cookies to skip the username/password prompts:

go-aws-azure-login --no-prompt

Important: This feature will not work if your organization's IT policy requires MFA verification on every login. In that case, you'll still need to complete MFA each time regardless of this setting.

Usage

Basic Commands
# Login with default profile
go-aws-azure-login

# Login with a named profile
go-aws-azure-login -p myprofile

# Login with multiple profiles (comma-separated)
go-aws-azure-login -p dev,staging,prod

# Use AWS_PROFILE environment variable
AWS_PROFILE=myprofile go-aws-azure-login

# Skip prompts (uses saved/environment credentials)
go-aws-azure-login --no-prompt

# Login all configured profiles
go-aws-azure-login -a

# Force credential refresh (even if not expired)
go-aws-azure-login -f

# Batch login: continue with the next profile when one fails
go-aws-azure-login -p dev,staging,prod -k
go-aws-azure-login -a --continue-on-error

Note: The tool automatically skips login if credentials are still valid. You'll see status messages like:

  • INF Credentials still valid, skipping refresh profile=myprofile
  • INF Login successful profile=myprofile

Use -f or --force-refresh to force a new login even when credentials haven't expired.

Display Modes
# GUI mode (default) - visible browser with auto-fill
go-aws-azure-login -m gui

# CLI mode - headless browser with auto-fill
go-aws-azure-login -m cli

# Debug mode - visible browser, manual operation only (for troubleshooting)
go-aws-azure-login -m debug
Mode Browser Visible Auto-fill
gui Yes Yes
cli No Yes
debug Yes No

MFA Compatibility: If your MFA requires viewing a number on screen (e.g., Microsoft Authenticator number matching), do not use CLI mode. The headless browser hides the screen, making it impossible to see the verification code. Use GUI or Debug mode instead.

Exiting

Press q + Enter to quit the program at any time. (Note: Ctrl+C may not work as it's intercepted by the browser process.)

Commands
Command Description
login Log in to AWS (default if no command specified)
configure Run configuration wizard
completion Generate shell completion script
version Print version information
Flags
Flag Short Description
--profile -p Profile name(s) to use (comma-separated for multiple)
--all-profiles -a Login all configured profiles
--force-refresh -f Force credential refresh
--mode -m Display mode: gui (default), cli, or debug
--no-prompt Skip interactive prompts (default: true)
--no-verify-ssl Disable SSL verification for AWS
--disable-leakless Disable leakless mode (troubleshooting)
--fastpass Use Okta FastPass verification (untested)
--system-browser Use system browser instead of embedded
--continue-on-error -k In batch login, skip a failed profile and continue with the next. Process exits non-zero if any profile failed.

Automation

Refresh All Profiles

Useful for keeping credentials fresh with a cron job:

# Refresh all profiles without prompts
go-aws-azure-login -a --no-prompt

Credentials are only refreshed if they expire within 11 minutes, so running this frequently is safe.

Example cron entry (every 5 minutes):

*/5 * * * * /path/to/go-aws-azure-login -a --no-prompt

Note: This only works reliably if your organization allows session persistence. If MFA is required each login, automation is not possible.

Getting Your Tenant ID and App ID URI

Contact your Azure AD administrator for these values. If unavailable, you can extract them:

  1. Go to myapps.microsoft.com
  2. Click the AWS app tile
  3. Quickly copy the URL from the popup (format: login.microsoftonline.com/<tenant-id>/...)
  4. The GUID after login.microsoftonline.com/ is your Tenant ID
  5. Copy the SAMLRequest URL parameter
  6. Decode the URL encoding using a URL decoder
  7. Decode the SAML using a SAML decoder
  8. The Issuer value in the decoded XML is your App ID URI

Regional Support

Note: GovCloud and China region support is untested in this fork.

To use with AWS GovCloud or China regions, set the region in your ~/.aws/config:

GovCloud:

[profile govcloud]
region = us-gov-west-1
# or us-gov-east-1

China:

[profile china]
region = cn-north-1

How It Works

  1. Browser automation: Uses Rod to automate a Chromium browser
  2. Azure AD login: Navigates the Azure login flow, handling credentials and MFA
  3. SAML parsing: Extracts the SAML assertion from the Azure response
  4. AWS STS: Calls AssumeRoleWithSAML to get temporary credentials
  5. Credential storage: Saves credentials to ~/.aws/credentials

Troubleshooting

Browser issues

Try these flags:

  • -m debug - See what's happening in the browser
  • --disable-leakless - If you see zombie browser processes
  • --system-browser - Use your installed browser instead of embedded
MFA not working

Use -m gui to complete MFA in a visible browser window.

SSL errors

Use --no-verify-ssl if you're behind a corporate proxy with SSL inspection.

Shell Completion

Enable tab completion for commands, flags, and profile names.

Zsh (macOS)
# Generate completion script to zsh site-functions
sudo mkdir -p /usr/local/share/zsh/site-functions
go-aws-azure-login completion zsh | sudo tee /usr/local/share/zsh/site-functions/_go-aws-azure-login > /dev/null

# Clear completion cache and reload shell
rm -f ~/.zcompdump* && exec zsh
Zsh (Linux)
# Generate completion script to a directory in fpath
mkdir -p ~/.local/share/zsh/site-functions
go-aws-azure-login completion zsh > ~/.local/share/zsh/site-functions/_go-aws-azure-login

# Clear completion cache and reload shell
rm -f ~/.zcompdump* && exec zsh
Bash
# Linux
go-aws-azure-login completion bash > /etc/bash_completion.d/go-aws-azure-login

# macOS (with Homebrew)
go-aws-azure-login completion bash > $(brew --prefix)/etc/bash_completion.d/go-aws-azure-login
Fish
go-aws-azure-login completion fish > ~/.config/fish/completions/go-aws-azure-login.fish

After setup, you can use Tab to complete:

  • Commands: go-aws-azure-login <TAB> shows login, configure, completion, version
  • Flags: go-aws-azure-login --<TAB> shows available flags
  • Profiles: go-aws-azure-login -p <TAB> shows profiles from ~/.aws/config
  • Mode: go-aws-azure-login -m <TAB> shows gui, cli, debug

License

See LICENSE file.

Acknowledgments

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.