[895] --credential-process now implicitly sets quiet and skip-prompt …

…and will no longer save to ~/.aws/credentials

README.md

@@ -714,15 +714,22 @@ DUMP_CONTENT=true saml2aws login --verbose
 
 [Credential Process](https://github.com/awslabs/awsprocesscreds) is a convenient way of interfacing credential providers with the AWS Cli.
 
-You can use `saml2aws` as a credential provider by simply configuring it and then adding a profile to the AWS configuration. `saml2aws` has a flag `--credential-process` generating an output with the right JSON format, as well as a flag `--quiet` that will block the logging from being displayed.
-The AWS credential file (typically ~/.aws/credentials) has precedence over the credential_process provider. That means that if credentials are present in the file, the credential process will not trigger. To counter that you can override the aws credential location of `saml2aws` to another file using `--credential-file` or specifying it during `configure`.
+You can use `saml2aws` as a credential provider by simply configuring it and then adding a profile to the AWS configuration. `saml2aws` has a flag `--credential-process` generating an output with the right JSON format.
+
+The AWS credential file (typically ~/.aws/credentials) has precedence over the credential_process provider. That means that if credentials are present in the file, the credential process will not trigger.
 
 An example of the aws configuration (`~/.aws/config`):
 
 ```
 [profile mybucket]
 region = us-west-1
-credential_process = saml2aws login --skip-prompt --quiet --credential-process --role <ROLE> --profile mybucket
+credential_process = saml2aws login --credential-process --role <ROLE> --profile mybucket
+```
+
+You can add this manually or via the awscli, i.e.
+
+```
+aws configure set credential_process "saml2aws login --credential-process --role <ROLE> --profile mybucket"
 ```
 
 When using the aws cli with the `mybucket` profile, the authentication process will be run and the aws will then be executed based on the returned credentials.

cmd/saml2aws/commands/login.go

@@ -146,8 +146,22 @@ func Login(loginFlags *flags.LoginExecFlags) error {
 		if err != nil {
 			return err
 		}
+	} else {
+		err = saveCredentials(awsCreds, sharedCreds)
+		if err != nil {
+			return err
+		}
+
+		log.Println("Logged in as:", awsCreds.PrincipalARN)
+		log.Println("")
+		log.Println("Your new access key pair has been stored in the AWS configuration.")
+		log.Printf("Note that it will expire at %v", awsCreds.Expires)
+		if sharedCreds.Profile != "default" {
+			log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).")
+		}
 	}
-	return saveCredentials(awsCreds, sharedCreds)
+
+	return nil
 }
 
 func buildIdpAccount(loginFlags *flags.LoginExecFlags) (*cfg.IDPAccount, error) {
@@ -220,7 +234,7 @@ func resolveLoginDetails(account *cfg.IDPAccount, loginFlags *flags.LoginExecFla
 	// log.Printf("loginDetails %+v", loginDetails)
 
 	// if skip prompt was passed just pass back the flag values
-	if loginFlags.CommonFlags.SkipPrompt {
+	if loginFlags.CommonFlags.SkipPrompt || loginFlags.CredentialProcess {
 		return loginDetails, nil
 	}
 
@@ -348,14 +362,6 @@ func saveCredentials(awsCreds *awsconfig.AWSCredentials, sharedCreds *awsconfig.
 		return errors.Wrap(err, "Error saving credentials.")
 	}
 
-	log.Println("Logged in as:", awsCreds.PrincipalARN)
-	log.Println("")
-	log.Println("Your new access key pair has been stored in the AWS configuration.")
-	log.Printf("Note that it will expire at %v", awsCreds.Expires)
-	if sharedCreds.Profile != "default" {
-		log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).")
-	}
-
 	return nil
 }
 

cmd/saml2aws/main.go

@@ -169,7 +169,7 @@ func main() {
 		errtpl = "%+v\n"
 	}
 
-	if *quiet {
+	if *quiet || (command == cmdLogin.FullCommand() && loginFlags.CredentialProcess) {
 		log.SetOutput(ioutil.Discard)
 		logrus.SetOutput(ioutil.Discard)
 	}