Using locally installed browser rather than outdated sanboxed chromium from "playwright-go"

[thom-vend]

Hi
I'm starting loving this tool however there is one little part which isn't great: the sandboxed browser.

1. First the sandboxed chromium run an outdated version and indeed vulnerable: 90.0.4430.0 on my mac.

I've installed sam2aws 1~2 months ago and only run saml2aws login --idp-account "$aws_app" --profile "$aws_app" --skip-prompt --cache-saml when my AWS tmp credential are outdated or when I'm assuming another role/other account. saml2aws logs says Downloaded browsers successfully so it make me think it try to update this chromium? 🤔

2. Using a private sandboxed chromium force us to re-login each time.

My main browser is already connected to the saml identity provider, users are wasting a bit their time (Ex when using multiple aws account and roles)

How could we use a locally installed browser? 🤔

Or not using a browser at all with provider like onelogin?

Thanks for you engagement in this nice tool,
Cheers,
Thom

[renanrt]

I would love that too!

[fllaca]

I also think this can be a good feature, the tool can open a link in your browser in where you can supply credentials and go back to the CLI.

[merusso]

In my opinion, using the system's default browser makes more sense than downloading/caching a new browser binary for login.

[richard-pianka]

This would be a huge improvement, especially given the recent issues with using Google Apps as the identity provider.

[GuillaumeRoss]

This would be an important features for companies that wish to restrict access to AWS only to corporate machines. For example, using Google's Context-Aware Access (CAA) feature allows one to only let a SAML app work from company owned machines (as well as checking a few other characteristics of the client machine), but it requires using a Chromium/Chrome session with the Endpoint Verification extension, logged in to Google Workspace.

If saml2aws supported using existing Chrome browsers, this would instantly work. Alternatively, there would have to be a way to orchestrate downloading playright, the extension, and ensuring the user logs into Google Workspace at the browser level, making the extension sync, which sounds a lot more brittle.

[sahaqaa]

I would love see this implemented - because each time entering credentials into sanboxed chromium when i need to switch between accounts / roles in multi-account AWS environment is painful :-(

[kbarlowgw]

Another +1 here.