I would like to use saml2aws as a credential provider, however, if I am prompted for a password (e.g. I use keycloak with OTP authentication) this is captured by the credential provider process. It would be convenient if I could specify a --gui flag as a switch to prompt for the username and password if the cached value isn't sufficient.

Unfortunately, I don't know how to write code in Go, but it looks like aws-vault have done this activity.

saml2aws is a cli tool. Why would you want a GUI component? The cli password prompt is quite user friendly no?

Are you trying to integrate saml2AWS into some other (non-golang) application?

Hey @seppestas, we're actually now moving away from keycloak, so I personally don't need this any more, but someone else might in the future. We had a set of scripts which did something akin to:

#!/bin/bash
saml2aws login $profile
some_long_running_operation="$(saml2aws exec --quiet --skip-prompt --profile $profile -- aws do something)"
some_result="$(saml2aws exec --quiet --skip-prompt --profile $profile -- aws some command --flag --flag2 --parameter=value)"

Because of this, sometimes you'd get $some_result with something like "session expired, please login again" (I don't actually recall what the actual response was)... however, like I said, we've moved off this now, so it's not something I can reproduce right now :(

For context, with aws-vault we had the same sort of code:

#!/bin/bash
some_long_running_operation="$(aws-vault exec $profile_with_mfa -- aws do something)"
some_result="$(aws-vault exec $profile_with_mfa -- aws some command --flag --flag2 --parameter=value)"

In that case, when we needed to provide an AWS MFA response, it comes up as a zenity prompt on Ubuntu.