Fix SAML response parsing for browser client

Some identity providers send extra attributes along with the SAMLResponse, which was causing the client to fail to find the necessary SAML assertion to provide to AWS. This release changes the parsing of that data so that we reliably find the SAML assertion when other attributes are passed in the response.

Fixes #103

3.5.1

Rewrite browser auth provider to use the chromedp browser events. This allows for the capture of the SAMLResponse event when a page isn't rendered to an HTML response code of 200. Single role/account users will get a SAMLResponse in a 302 that redirects to the AWS console. This corrects that and allows for both multi account/role and single account/role users to be able to work with the provider.

3.5.0 Add browser-based SAML client

Allow aws-runas to spawn an external browser (Chrome/Edge) that can be used to navigate an authentication session and return a SAMLResponse back to aws-runas for use in retrieving credentials

3.4.0: Upgrade ssm-session-client (#86)

• Migrate to latest ssm-session-client to get direct integration with AWS-managed SSM session client codebase. This will give us the full functionality of the AWS-provided ssm session plugin, without needing to install the 3rd party binary. Some benefits are stable SSH connections over SSM, and support for all port forwarding features of the AWS code (port multiplexing, etc...)
• Ensure valid credentials before any SSM action to fix an annoying behavior where ssm actions will fail unless valid, cached credentials already exist.
• Update circle ci orbs and golang version, also update go module versions to stay up to date.

Fix ECR login for registries not in profile region

The ecr login command was failing to authenticate to registries which weren't in the region specified in the profile (profile says us-east-1, registry is in us-west-2). Explicitly set the region when calling GetAuthorizationToken to the region specified in the ECR registry URL.

Fixes #81

Correct credential caching issue with metadata credential service

Corrected a serious bug where subsequent credentials would be cached for the original role and account for all subsequent accounts and roles due to a reversed call to MergeIn() in the server code when merging credentials. (#79) ... Fixes #76

Bump nokogiri from 1.13.3 to 1.13.4 in /docs (#77)

3.3.1 Fix handling of role ARN parameter when using external IdP

When using a role ARN instead of a named profile, and having the external IdP configuration in the default profile, the IdP configuration was not loaded because a profile could not be loaded from the config file. This has been fixed

Fixes #73

Integrate EC2 Instance Connect with SSM SSH functionality

Integrate EC2 instance connect with the ssm ssh functionality (#71). This allows the public key for the session to be provisioned on the instance during the setup of the SSH session instead of requiring pre-existing SSH keys on the instance.

• Update dependencies and use go 1.17
• Fix error when launching ssm plugin
• Update ssm-session-client for bug fix with DNS target resolution

3.2.0: Add Duo MFA to Okta IdP client

Add Duo MFA to Okta IdP client (#68)

Update SSM client library for fix to terminal resizing
Update versions for dependencies

3.1.2

Fix missing environment variables

AWSRUNAS_PROFILE was not being correctly set in all cases and AWS_SECURITY_TOKEN was added back.

Fixes #66