Process credentials format was not emitting JSON correctly when `--wr…

…ite-aws-credentials` flag is present.

Closes #169

CHANGELOG.md

@@ -6,7 +6,8 @@ TBD
 
 ### BUG FIXES
 
-* Open browser and open browser command behavior was fouled in v2 release [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
+* Process credentials format was not emitting JSON correctly when `--write-aws-credentials` flag is present [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
+* Open browser and open browser command behavior was fouled in v2 release [#172](https://github.com/okta/okta-aws-cli/pull/172), thanks [@monde](https://github.com/monde)!
 
 ## 2.0.1 (January 31, 2024)
 

internal/config/config.go

@@ -441,12 +441,12 @@ func readConfig() (Attributes, error) {
 	if !attrs.WriteAWSCredentials {
 		attrs.WriteAWSCredentials = viper.GetBool(downCase(WriteAWSCredentialsEnvVar))
 	}
-	if attrs.WriteAWSCredentials {
-		// writing aws creds option implies "aws-credentials" format
+	if attrs.WriteAWSCredentials && attrs.Format != ProcessCredentialsFormat {
+		// writing aws creds option implies "aws-credentials" format unless format has already been set as process credentials
 		attrs.Format = AWSCredentialsFormat
 	}
-	if attrs.AllProfiles {
-		// writing all aws profiles option implies "aws-credentials" format
+	if attrs.AllProfiles && attrs.Format != ProcessCredentialsFormat {
+		// writing all aws profiles option implies "aws-credentials" format unless format has already been set as process credentials
 		attrs.Format = AWSCredentialsFormat
 	}
 	if !attrs.OpenBrowser {

internal/output/aws_credentials_file.go

@@ -124,12 +124,13 @@ func updateConfig(filename, profile string, cfc *oaws.CredsFileCredential, legac
 }
 
 // updateIni will comment out any keys that are not "aws_access_key_id",
-// "aws_secret_access_key", or "aws_session_token"
+// "aws_secret_access_key", "aws_session_token", "credential_process"
 func updateINI(config *ini.File, profile string, legacyVars bool, expiryVars bool) (*ini.File, error) {
 	ignore := []string{
 		"aws_access_key_id",
 		"aws_secret_access_key",
 		"aws_session_token",
+		"credential_process",
 	}
 	if legacyVars {
 		ignore = append(ignore, "aws_security_token")

internal/output/output.go

@@ -30,13 +30,28 @@ type Outputter interface {
 
 // RenderAWSCredential Renders the credentials in the prescribed format.
 func RenderAWSCredential(cfg *config.Config, cc *oaws.CredentialContainer) error {
+	expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
 	var o Outputter
 	switch cfg.Format() {
 	case config.AWSCredentialsFormat:
-		expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
 		o = NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
 	case config.ProcessCredentialsFormat:
 		o = NewProcessCredentials()
+
+		// check special case where we are running in process credentials
+		// format but we also need to write to the credentials file e.g. in
+		// ~/.aws/credentials:
+		//
+		// [default]
+		// credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc123 --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/ForOkta --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials
+		//
+		if cfg.WriteAWSCredentials() {
+			// attempt to write the creds first
+			credsOut := NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
+			if err := credsOut.Output(cfg, cc); err != nil {
+				return err
+			}
+		}
 	case config.NoopFormat:
 		o = NewNoopCredentials()
 	default: