feat!: add GRANTED_BROWSER_PROFILE env var support for browser profile override (#914)

* feat!: add GRANTED_BROWSER_PROFILE env var support for browser profile override

Add support for GRANTED_BROWSER_PROFILE environment variable to override
the browser profile used when opening AWS console with -c/-s flags.

Changes:
- Add EnvVars to browser-profile flag to automatically read from
  GRANTED_BROWSER_PROFILE environment variable
- Remove browser-profile from getConsoleURL condition to prevent env var
  from inadvertently triggering console URL generation
- Browser profile from env var is only used when actually launching
  browser (after all safety checks)

BREAKING CHANGE: The --browser-profile flag no longer triggers browser
opening by itself. Users must now explicitly use -c or -s flags along
with --browser-profile to open a browser. Previously, passing
--browser-profile alone would open a browser window, but now it only
sets which browser profile to use when a browser is opened via other
flags. This prevents the GRANTED_BROWSER_PROFILE environment variable
from inadvertently opening browsers.

This allows users to set a default browser profile via environment
variable that will be used whenever opening the console, while still
allowing --browser-profile flag to take precedence.

Fixes #886

* feat: add GRANTED_SSO_BROWSER_PROFILE env var support for SSO browser profile

Add support for GRANTED_SSO_BROWSER_PROFILE environment variable to override
the browser profile used when launching SSO login flows.

When using SSOBrowserLaunchTemplate, the environment variable will be used
to specify which browser profile to use for SSO authentication flows.

Usage:
export GRANTED_SSO_BROWSER_PROFILE="MySSOProfile"
assume <profile>  # SSO login will use "MySSOProfile" as the browser profile

* feat: add --sso-browser-profile flag and GRANTED_SSO_BROWSER_PROFILE env var support

- Add --sso-browser-profile flag to assume, granted sso login, generate, and populate commands
- Add SSOBrowserProfile field to ConfigOpts to pass browser profile through SSO login flow
- Remove redundant environment variable check from idclogin.Login (handled by flag EnvVars)
- Add test case for empty browser profile in launcher tests
- Support GRANTED_SSO_BROWSER_PROFILE environment variable via flag EnvVars

Author: billyjbryant

pkg/assume/assume.go

@@ -280,10 +280,11 @@ func AssumeCommand(c *cli.Context) error {
 	}
 
 	configOpts := cfaws.ConfigOpts{
-		Duration:     time.Hour,
-		MFATokenCode: assumeFlags.String("mfa-token"),
-		Args:         assumeFlags.StringSlice("pass-through"),
-		DisableCache: assumeFlags.Bool("no-cache"),
+		Duration:          time.Hour,
+		MFATokenCode:      assumeFlags.String("mfa-token"),
+		Args:              assumeFlags.StringSlice("pass-through"),
+		DisableCache:      assumeFlags.Bool("no-cache"),
+		SSOBrowserProfile: assumeFlags.String("sso-browser-profile"),
 	}
 
 	// attempt to get session duration from profile
@@ -307,7 +308,7 @@ func AssumeCommand(c *cli.Context) error {
 
 	// if getConsoleURL is true, we'll use the AWS federated login to retrieve a URL to access the console.
 	// depending on how Granted is configured, this is then printed to the terminal or a browser is launched at the URL automatically.
-	getConsoleURL := !assumeFlags.Bool("env") && ((assumeFlags.Bool("console") || assumeFlags.String("console-destination") != "") || assumeFlags.Bool("active-role") || assumeFlags.String("service") != "" || assumeFlags.Bool("url") || assumeFlags.String("browser-profile") != "")
+	getConsoleURL := !assumeFlags.Bool("env") && ((assumeFlags.Bool("console") || assumeFlags.String("console-destination") != "") || assumeFlags.Bool("active-role") || assumeFlags.String("service") != "" || assumeFlags.Bool("url"))
 
 	// this makes it easy for users to copy the actual command and avoid needing to lookup profiles
 	if !cfg.DisableUsageTips && showRerunCommand {

pkg/assume/entrypoint.go

@@ -45,7 +45,8 @@ func GlobalFlags() []cli.Flag {
 		&cli.StringFlag{Name: "sso-region", Usage: "Use this in conjunction with --sso, the sso-region"},
 		&cli.StringFlag{Name: "account-id", Usage: "Use this in conjunction with --sso, the account-id"},
 		&cli.StringFlag{Name: "role-name", Usage: "Use this in conjunction with --sso, the role-name"},
-		&cli.StringFlag{Name: "browser-profile", Aliases: []string{"bp"}, Usage: "Use a pre-existing profile in your browser"},
+		&cli.StringFlag{Name: "browser-profile", Aliases: []string{"bp"}, Usage: "Use a pre-existing profile in your browser", EnvVars: []string{"GRANTED_BROWSER_PROFILE"}},
+		&cli.StringFlag{Name: "sso-browser-profile", Usage: "Use a pre-existing profile in your browser for SSO login", EnvVars: []string{"GRANTED_SSO_BROWSER_PROFILE"}},
 		&cli.StringFlag{Name: "mfa-token", Usage: "Provide your current MFA token for the role you are assuming to skip being prompted"},
 		&cli.StringFlag{Name: "save-to", Usage: "Use this in conjunction with --sso, the profile name to save the role to in your AWS config file"},
 		&cli.BoolFlag{Name: "export-all-env-vars", Aliases: []string{"x"}, Usage: "Exports all available credentials to the terminal when used with a profile configured for credential-process. Without this flag, only the AWS_PROFILE will be configured"},

pkg/cfaws/assumer_aws_sso.go

@@ -192,7 +192,7 @@ func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Cred
 	if cachedToken == nil && plainTextToken == nil {
 		newCfg := aws.NewConfig()
 		newCfg.Region = rootProfile.SSORegion()
-		newSSOToken, err := idclogin.Login(ctx, *newCfg, rootProfile.SSOStartURL(), rootProfile.SSOScopes())
+		newSSOToken, err := idclogin.Login(ctx, *newCfg, rootProfile.SSOStartURL(), rootProfile.SSOScopes(), configOpts.SSOBrowserProfile)
 		if err != nil {
 			return aws.Credentials{}, err
 		}

pkg/cfaws/profiles.go

@@ -27,6 +27,7 @@ type ConfigOpts struct {
 	ShouldRetryAssuming        *bool
 	MFATokenCode               string
 	DisableCache               bool
+	SSOBrowserProfile          string
 }
 
 type Profile struct {

pkg/granted/sso.go

@@ -55,7 +55,9 @@ var GenerateCommand = cli.Command{
 		&cli.StringFlag{Name: "sso-region", Usage: "Specify the SSO region"},
 		&cli.StringSliceFlag{Name: "source", Usage: "The sources to load AWS profiles from (valid values are: 'aws-sso')", Value: cli.NewStringSlice("aws-sso")},
 		&cli.BoolFlag{Name: "no-credential-process", Usage: "Generate profiles without the Granted credential-process integration"},
-		&cli.StringFlag{Name: "profile-template", Usage: "Specify profile name template", Value: awsconfigfile.DefaultProfileNameTemplate}},
+		&cli.StringFlag{Name: "profile-template", Usage: "Specify profile name template", Value: awsconfigfile.DefaultProfileNameTemplate},
+		&cli.StringFlag{Name: "sso-browser-profile", Usage: "Use a pre-existing profile in your browser for SSO login", EnvVars: []string{"GRANTED_SSO_BROWSER_PROFILE"}},
+	},
 	Action: func(c *cli.Context) error {
 		ctx := c.Context
 		fullCommand := fmt.Sprintf("%s %s", c.App.Name, c.Command.FullName()) // e.g. 'granted sso populate'
@@ -100,10 +102,11 @@ var GenerateCommand = cli.Command{
 			Prefix:              prefix,
 		}
 
+		ssoBrowserProfile := c.String("sso-browser-profile")
 		for _, s := range c.StringSlice("source") {
 			switch s {
 			case "aws-sso":
-				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL})
+				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL, SSOBrowserProfile: ssoBrowserProfile})
 			case "commonfate", "common-fate", "cf":
 				return fmt.Errorf("the common fate profile source is no longer supported: https://www.commonfate.io/blog/winding-down")
 			default:
@@ -138,6 +141,7 @@ var PopulateCommand = cli.Command{
 		&cli.BoolFlag{Name: "prune", Usage: "Remove any generated profiles with the 'common_fate_generated_from' key which no longer exist"},
 		&cli.StringFlag{Name: "profile-template", Usage: "Specify profile name template", Value: awsconfigfile.DefaultProfileNameTemplate},
 		&cli.BoolFlag{Name: "no-credential-process", Usage: "Generate profiles without the Granted credential-process integration"},
+		&cli.StringFlag{Name: "sso-browser-profile", Usage: "Use a pre-existing profile in your browser for SSO login", EnvVars: []string{"GRANTED_SSO_BROWSER_PROFILE"}},
 	},
 	Action: func(c *cli.Context) error {
 		ctx := c.Context
@@ -214,10 +218,11 @@ var PopulateCommand = cli.Command{
 			PruneStartURLs:      pruneStartURLs,
 		}
 
+		ssoBrowserProfile := c.String("sso-browser-profile")
 		for _, s := range c.StringSlice("source") {
 			switch s {
 			case "aws-sso":
-				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL, SSOScopes: c.StringSlice("sso-scope")})
+				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL, SSOScopes: c.StringSlice("sso-scope"), SSOBrowserProfile: ssoBrowserProfile})
 			case "commonfate", "common-fate", "cf":
 				return fmt.Errorf("the common fate profile source is no longer supported: https://www.commonfate.io/blog/winding-down")
 			default:
@@ -245,6 +250,7 @@ var LoginCommand = cli.Command{
 		&cli.StringFlag{Name: "sso-region", Usage: "Specify the SSO region"},
 		&cli.StringFlag{Name: "sso-start-url", Usage: "Specify the SSO start url"},
 		&cli.StringSliceFlag{Name: "sso-scope", Usage: "Specify the SSO scopes"},
+		&cli.StringFlag{Name: "sso-browser-profile", Usage: "Use a pre-existing profile in your browser for SSO login", EnvVars: []string{"GRANTED_SSO_BROWSER_PROFILE"}},
 	},
 	Action: func(c *cli.Context) error {
 		ctx := c.Context
@@ -291,13 +297,14 @@ var LoginCommand = cli.Command{
 		}
 
 		ssoScopes := c.StringSlice("sso-scope")
+		ssoBrowserProfile := c.String("sso-browser-profile")
 
 		cfg := aws.NewConfig()
 		cfg.Region = ssoRegion
 
 		secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()
 
-		newSSOToken, err := idclogin.Login(ctx, *cfg, ssoStartUrl, ssoScopes)
+		newSSOToken, err := idclogin.Login(ctx, *cfg, ssoStartUrl, ssoScopes, ssoBrowserProfile)
 		if err != nil {
 			return err
 		}
@@ -311,9 +318,10 @@ var LoginCommand = cli.Command{
 }
 
 type AWSSSOSource struct {
-	SSORegion string
-	StartURL  string
-	SSOScopes []string
+	SSORegion         string
+	StartURL          string
+	SSOScopes         []string
+	SSOBrowserProfile string
 }
 
 func (s AWSSSOSource) GetProfiles(ctx context.Context) ([]awsconfigfile.SSOProfile, error) {
@@ -348,7 +356,7 @@ func (s AWSSSOSource) GetProfiles(ctx context.Context) ([]awsconfigfile.SSOProfi
 
 	if ssoTokenFromSecureCache == nil && ssoTokenFromPlainText == nil {
 		// otherwise, login with SSO
-		ssoTokenFromSecureCache, err = idclogin.Login(ctx, cfg, s.StartURL, s.SSOScopes)
+		ssoTokenFromSecureCache, err = idclogin.Login(ctx, cfg, s.StartURL, s.SSOScopes, s.SSOBrowserProfile)
 		if err != nil {
 			return nil, err
 		}

pkg/idclogin/run.go

@@ -20,7 +20,7 @@ import (
 )
 
 // Login contains all the steps to complete a device code flow to retrieve an SSO token
-func Login(ctx context.Context, cfg aws.Config, startUrl string, scopes []string) (*securestorage.SSOToken, error) {
+func Login(ctx context.Context, cfg aws.Config, startUrl string, scopes []string, browserProfile string) (*securestorage.SSOToken, error) {
 	ssooidcClient := ssooidc.NewFromConfig(cfg)
 
 	// If scopes aren't provided, default to the legacy non-refreshable configuration
@@ -80,7 +80,7 @@ func Login(ctx context.Context, cfg aws.Config, startUrl string, scopes []string
 		}
 
 		// now build the actual command to run - e.g. 'firefox --new-tab <URL>'
-		args, err := l.LaunchCommand(url, "")
+		args, err := l.LaunchCommand(url, browserProfile)
 		if err != nil {
 			return nil, fmt.Errorf("error building browser launch command: %w", err)
 		}

pkg/launcher/custom_test.go

@@ -35,6 +35,17 @@ func TestCustom_LaunchCommand(t *testing.T) {
 			},
 			want: []string{"/usr/bin/firefox", "--url", "https://commonfate.io", "--profile", "example"},
 		},
+		{
+			name: "empty_profile",
+			fields: fields{
+				Command: "/usr/bin/firefox --url {{.URL}} --profile {{.Profile}}",
+			},
+			args: args{
+				url:     "https://commonfate.io",
+				profile: "",
+			},
+			want: []string{"/usr/bin/firefox", "--url", "https://commonfate.io", "--profile", ""},
+		},
 		{
 			name: "with_args",
 			fields: fields{