From 938b7c80e6da1c10fcca150e35e4bf863700364e Mon Sep 17 00:00:00 2001
From: Dave2 Buchanan
 <146779710+unlox775-code-dot-org@users.noreply.github.com>
Date: Fri, 9 May 2025 17:53:24 -0700
Subject: [PATCH] Official deprecation of this gym with security, warning and
 disabling refresh

---
 README.md                            | 40 ++++++++++++++++++++++++++++
 exe/aws-google                       |  1 +
 lib/aws/google.rb                    |  4 ++-
 lib/aws/google/cached_credentials.rb | 14 ++++------
 4 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index c096056..3b785b4 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,45 @@
 # Aws::Google [![Build Status](https://travis-ci.com/code-dot-org/aws-google.svg?branch=master)](https://travis-ci.com/code-dot-org/aws-google)
 
+## Security Advisory - DEPRECATION NOTICE
+
+**What’s Actually Happening**
+- The `aws-google` gem uses your Google Workspace SAML federation and refresh token (stored under `~/.config/gcloud`) to silently reauthenticate and fetch new SAML assertions indefinitely.
+- Access tokens are short-lived, but the gem auto-refreshes them without user interaction, effectively granting perpetual AWS CLI access.
+
+**Root Problem: IAM Trust + Refresh = Forever Access**
+- Trust policy allows any valid Google SAML assertion to assume the role.
+- A long-lived Google refresh token means AWS sessions can be recreated endlessly, bypassing STS session limits.
+
+**Why This Feels Like a Hacker’s Backdoor**
+- Chains refreshable identity tokens to bypass short-lived credentials.
+- Skirts MFA: only checked on Google login, which could be months ago.
+- Operates silently: no AWS logs for reauthentication calls.
+- Becomes a persistent, long-lived IAM user, against AWS security best practices.
+
+---
+
+## Path Forward & Deprecation Plan
+
+1. **Deprecate `aws-google`.**
+   - Introduce a warning on every invocation and in the README.
+   - Disable auto-refresh so sessions expire normally.
+2. **Migrate to AWS IAM Identity Center (SSO).**
+   - Still federates from Google Workspace.
+   - Centralized user provisioning, role mapping, and enforced session duration (1–12 hr).
+   - CLI users run `aws sso login` instead of relying on a refresh token.
+3. **Remove the Google SAML Provider in IAM.**
+   - Delete the `arn:aws:iam::<acct>:saml-provider/Google` trust and any `WebIdentity` entries for `accounts.google.com`.
+   - Forces immediate revocation for any existing refresh tokens.
+4. **Audit Usage.**
+   - Use CloudTrail to query `AssumeRoleWithSAML` events.
+   - Identify any lingering federation patterns or anomalous long-lived access.
+
+---
+
+Use this gem at your own risk until you have completed the above migration steps.
+
+# **DEPRECATION NOTICE:** The `aws-google` gem is deprecated and will no longer auto-refresh credentials. Please migrate to AWS IAM Identity Center or other solutions and expect this gem to stop functioning in future releases.
+
 Use Google OAuth as an AWS Credential Provider.
 
 ## Installation
diff --git a/exe/aws-google b/exe/aws-google
index 2bdd414..8a4c588 100755
--- a/exe/aws-google
+++ b/exe/aws-google
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+warn "\e[31m*** DEPRECATION NOTICE: The aws-google CLI is deprecated and will no longer auto-refresh credentials. Migrate to AWS IAM Identity Center. ***\e[0m"
 
 # CLI to retrieve AWS credentials in credential_process format.
 # Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
diff --git a/lib/aws/google.rb b/lib/aws/google.rb
index dd235ed..ba94523 100644
--- a/lib/aws/google.rb
+++ b/lib/aws/google.rb
@@ -45,8 +45,11 @@ class << self
     # @option options [String] :client_id Google client ID
     # @option options [String] :client_secret Google client secret
     def initialize(options = {})
+      # Deprecation warning and disable auto-refresh
+      warn "\e[31m*** DEPRECATION NOTICE: The aws-google gem is deprecated and will no longer auto-refresh credentials. Please migrate to AWS IAM Identity Center. ***\e[0m"
       options = options.merge(self.class.config)
       @oauth_attempted = false
+      @online = options.fetch(:online, true)
       @assume_role_params = options.slice(
         *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
           input.shape.member_names
@@ -58,7 +61,6 @@ def initialize(options = {})
       )
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
-      @online = options[:online]
       @port = options[:port] || 1234
       super
     end
diff --git a/lib/aws/google/cached_credentials.rb b/lib/aws/google/cached_credentials.rb
index de3b032..e5c6d4c 100644
--- a/lib/aws/google/cached_credentials.rb
+++ b/lib/aws/google/cached_credentials.rb
@@ -19,18 +19,14 @@ def initialize(options = {})
         @session_profile = @profile + '_session'
         @expiration = Aws.shared_config.expiration(profile: @session_profile) rescue nil
         @credentials = Aws.shared_config.credentials(profile: @session_profile) rescue nil
-        refresh_if_near_expiration
+        # Auto-refresh disabled due to deprecation
+        # refresh_if_near_expiration
       end
 
       def refresh_if_near_expiration
-        return unless near_expiration?(SYNC_EXPIRATION_LENGTH)
-
-        @mutex.synchronize do
-          if near_expiration?(SYNC_EXPIRATION_LENGTH)
-            refresh
-            write_credentials
-          end
-        end
+        # Deprecation: auto-refresh is disabled; sessions will expire normally.
+        warn "\e[31m*** DEPRECATION NOTICE: aws-google auto-refresh disabled. Sessions expire without refresh. ***\e[0m"
+        # no-op
       end
 
       # Write credentials and expiration to AWS credentials file.