pass password via stdin

thiagowfx · thiagowfx · commit c8648f04b01f · 2025-11-06T02:16:58.000+01:00
diff --git a/aws_login_headless/aws_login_headless.sh b/aws_login_headless/aws_login_headless.sh
@@ -257,14 +257,15 @@ run_playwright_automation() {
     echo "Launching headless browser automation..."
 
     # Build uvx command with inline script dependencies
+    # Password is passed via stdin for security (not visible in process list)
     local uvx_cmd=(
         "uvx"
         "--from" "playwright"
         "--with" "playwright"
         "python"
         "$PLAYWRIGHT_SCRIPT"
         "$verification_url"
-        "$password"
+        "--password-stdin"
     )
 
     if [[ -n "$username" ]]; then
@@ -282,7 +283,8 @@ run_playwright_automation() {
         fi
     fi
 
-    if "${uvx_cmd[@]}"; then
+    # Pass password via stdin to prevent exposure in process list
+    if echo "$password" | "${uvx_cmd[@]}"; then
         echo ""
         echo "✓ Successfully authenticated to AWS SSO"
         echo ""
diff --git a/aws_login_headless/aws_login_headless_playwright.py b/aws_login_headless/aws_login_headless_playwright.py
@@ -28,8 +28,9 @@ def parse_args():
         help="AWS SSO verification URL from 'aws sso login --no-browser'"
     )
     parser.add_argument(
-        "sso_password",
-        help="AWS SSO password (retrieve from 1Password or provide directly)"
+        "--password-stdin",
+        action="store_true",
+        help="Read password from stdin instead of command line"
     )
     parser.add_argument(
         "--username",
@@ -307,9 +308,19 @@ def main():
     """Main entry point."""
     args = parse_args()
 
+    # Read password from stdin if flag is set
+    if args.password_stdin:
+        sso_password = sys.stdin.read().strip()
+        if not sso_password:
+            print("Error: No password provided via stdin", file=sys.stderr)
+            sys.exit(1)
+    else:
+        print("Error: Password must be provided via --password-stdin", file=sys.stderr)
+        sys.exit(1)
+
     success = aws_sso_login(
         verification_url=args.verification_url,
-        sso_password=args.sso_password,
+        sso_password=sso_password,
         username=args.username,
         headless=args.headless,
         timeout=args.timeout
