Allow Role selection

[endemics]

When there are multiple values to <saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">, instead of blindly taking the first one, prompt the user for the one she wants.

This is needed if you have multiple targets and a 1:1 mapping between a Cross-Account role and a target role.

[erickt]

Any chance this, and the other outstanding PRs, be reviewed? They all seem super helpful.

[erickt]

I just tried your PR out, and there's a bit of an issue with it, at least with a bastion account and cross accounts. oktad needs me to configure a profile in ~/.aws/config, where I need to specify which role I want to assume. Your patch prompts me to pick the role, where I need to pick the role I already configured in ~/.aws/config. Could you change this PR to look up the role in the config file?

[endemics]

@erickt I have actually implemented something like that in https://github.com/endemics/oktad/commit/124b00f78813f78d2cb3a84a0589ade5a4448a0d but haven't created a PR yet.

You can pull the code from https://github.com/endemics/oktad, the master branch has my 3 patches (that's the one we're using internally).

[ghost]

I like the idea of this especially because we're talking about moving to this model for our AWS accounts rather than relying on ~/.aws/config. Less burden on users to set up the profiles for each account in that setup.

That said: maybe this should only prompt for account selection in the event that a user hasn't provided a profile/account to use? Then this code could try to find the name supplied in the SAML response or ~/.aws/config.

There's also potential to retrieve a list of accounts to check against using the AWS Organizations API as well, though that requires permissions to your Organizations account, at least in our case.