saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

Using locally installed browser rather than outdated sanboxed chromium from "playwright-go"

Open thom-vend opened this issue 4 years ago • 2 comments

Hi I'm starting loving this tool however there is one little part which isn't great: the sandboxed browser.

  1. First the sandboxed chromium run an outdated version and indeed vulnerable: 90.0.4430.0 on my mac.

I've installed sam2aws 1~2 months ago and only run saml2aws login --idp-account "$aws_app" --profile "$aws_app" --skip-prompt --cache-saml when my AWS tmp credential are outdated or when I'm assuming another role/other account. saml2aws logs says Downloaded browsers successfully so it make me think it try to update this chromium? 🤔

  1. Using a private sandboxed chromium force us to re-login each time.

My main browser is already connected to the saml identity provider, users are wasting a bit their time (Ex when using multiple aws account and roles)

How could we use a locally installed browser? 🤔

Or not using a browser at all with provider like onelogin?

Thanks for you engagement in this nice tool, Cheers, Thom

thom-vend avatar Sep 23 '21 21:09 thom-vend

I would love that too!

renanrt avatar Sep 23 '21 21:09 renanrt

I also think this can be a good feature, the tool can open a link in your browser in where you can supply credentials and go back to the CLI.

fllaca avatar Apr 27 '22 09:04 fllaca

In my opinion, using the system's default browser makes more sense than downloading/caching a new browser binary for login.

merusso avatar Jan 22 '23 17:01 merusso

This would be a huge improvement, especially given the recent issues with using Google Apps as the identity provider.

richard-pianka avatar Feb 18 '23 15:02 richard-pianka

This would be an important features for companies that wish to restrict access to AWS only to corporate machines. For example, using Google's Context-Aware Access (CAA) feature allows one to only let a SAML app work from company owned machines (as well as checking a few other characteristics of the client machine), but it requires using a Chromium/Chrome session with the Endpoint Verification extension, logged in to Google Workspace.

If saml2aws supported using existing Chrome browsers, this would instantly work. Alternatively, there would have to be a way to orchestrate downloading playright, the extension, and ensuring the user logs into Google Workspace at the browser level, making the extension sync, which sounds a lot more brittle.

GuillaumeRoss avatar Jun 14 '23 12:06 GuillaumeRoss

I would love see this implemented - because each time entering credentials into sanboxed chromium when i need to switch between accounts / roles in multi-account AWS environment is painful :-(

sahaqaa avatar Sep 11 '23 11:09 sahaqaa

Another +1 here.

kbarlowgw avatar Oct 09 '23 13:10 kbarlowgw