Aws Vault Versions Save

See the full changelog

Added

• Support for AWS SSO #549 docs
• Support for Yubikey TOTP #558 docs
• A shell script for adding a Yubikey to IAM #559
• aws-vault exec --ecs-server starts an ECS credential server offering many advantages over the EC2 metadata server #556 #375 docs
• Debug http logging for the server #330
• Support for setting the secret service collection with --secret-service-collection #539
• Support for assume roles using OpenID Connect tokens #587
• A native windows prompt wincredui #613
• A pass MFA provider that reads from pass otp #640
• aws-vault proxy --stop will stop the ec2 server proxy and remove the network alias. Fixes #548, #360
• A new command aws-vault clear [<profile>] to remove short-term session credentials and OIDC tokens #644 #591 #412
• The environment variable AWS_MIN_TTL will enforce a minimum expiry time on credentials #646

Fixed

• Ensure all error messages go to stderr #565
• Using a key with a slash with the file backend https://github.com/99designs/keyring/pull/69
• Login hang when using an unknown profile #575 #545
• Shell completion issues #408, #576
• Parse Windows netsh error messages in German #610
• The aws-vault executable location should now be detected correctly in more instances. Fixes #596
• Use the expiry window when retrieving credentials from the key store to enforce a minimum expiry time #608

Changed

• Config variable parent_profile renamed to include_profile. The old parent_profile still works for backwards compatibility #520 #560 docs
• Credentials created with AssumeRole and MFA are now cached #569 (Fixes #552, #532, #525)
• Profile names are now case-sensitive #570 #528 7262236
• The proxy command is now aws-vault proxy. This command is not user facing, but the old server subcommand still works just in case for backwards compatibility #627
• When secret keys are added with aws-vault add, the secret is no longer echoed back into the terminal #625
• The --sessions-only flag has been deprecated from the remove command in favour of aws-vault clear. The old flag still works for backwards compatibility

Security

• Check the host header to mitigate a DNS rebinding attack #578

Security

• Check the host header to mitigate a DNS rebinding attack #578

Fixed

• Fixed 404 page not found when credentials from metadata service in --server mode #577. If you're experiencing issues, kill any old background proxy process using sudo killall -9 aws-vault before running aws-vault exec --server
• Removed the experimental hidden --ecs-server flag (this feature will be in v6)

Fixed

• Reverted the change introduced in v5.4.0 where the exec command defaulted to a login shell if SHELL is known to support -l as this is causing issues with nested environment variables #546

Fixed

• region env var being set to blank
• error handling on ecs credential server

Fixed

• AWS_FEDERATION_TOKEN_TTL was not correctly setting the Federation TTL #550 #551
• AWS region retrieval from metadata server #542

Added

• --region to the exec and login commands #557 #531
• ~Currently hidden, an experimental exec --ecs-server flag starts a ECS credential server offering many advantages over the ec2 metadata server #556 #375~ (reverted in v5.4.3)

Changed

• ~The exec command now defaults to a login shell if SHELL is known to support -l 38262fdfccf0851b9e8e734c7804ef44235be504 #546~ (reverted in v5.4.2)

Fixed

• Fix test for recursive source_profile #527 0760274

Fixed

• failures when AWS_SDK_LOAD_CONFIG and AWS_PROFILE were both set #410 1ce3655

Fixed

• Ignore a profile's source_profile if it refers to itself f26b718 #504

Added

• Support for kdialog #523