npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@fsichi/awswiz

v0.2.1

Published

Friendly AWS credentials CLI — interactive wizards for profiles, MFA, assume-role, SSO and more

Readme

awswiz

Friendly AWS credentials CLI — interactive wizards for profiles, MFA, assume-role, SSO and more.

awswiz takes the friction out of managing AWS credentials from the terminal. Instead of memorizing aws sts incantations or hand-editing ~/.aws, you answer simple questions. It talks to AWS directly through the SDK and edits your ~/.aws files for you — so it works without the aws CLI installed. The UI speaks English and Spanish (auto-detected).

Install

npm install -g @fsichi/awswiz
# or run it without installing:
npx @fsichi/awswiz whoami

After installing, the command is just awswiz (e.g. awswiz whoami).

Requires Node.js >= 20. That's it — no aws CLI, no Python, no setup.

Commands

Run awswiz on its own (in a terminal) to open an interactive menu. Or call any command directly:

| Command | What it does | |---|---| | awswiz status | Which sessions are alive and when do they expire? Your daily "am I still logged in?". | | awswiz whoami | Which account, role and profile am I using right now? | | awswiz mfa | Start an MFA session — auto-discovers your device, creates a temporary <profile>-mfa profile. | | awswiz assume | Assume an IAM role (cross-account), with MFA, and save the temporary credentials. | | awswiz login | Sign in to IAM Identity Center (SSO) via the browser device flow — then verifies it really worked. | | awswiz console | Open the AWS web console in your browser, already signed in with a profile. | | awswiz exec | Run any command with a profile's credentials: awswiz exec -p prod -- terraform plan. | | awswiz use | Switch the active profile (prints the right export line, or writes [default]). | | awswiz region | Set the default region for a profile. | | awswiz profile | Manage profiles: list, add (masked secret input), edit, remove. | | awswiz doctor | Check your setup: ~/.aws files, profiles, and clock skew (the silent MFA killer). | | awswiz update | Update awswiz to the latest version. |

awswiz status

The command you run every morning. Shows each temporary session (MFA / assumed roles) with its remaining lifetime, each SSO session's token state, and the active profile — with the exact renewal command next to anything expired:

Temporary sessions:
  horsego-mfa   ✔ expires in 11h 40m
  codetria-mfa  ✖ expired   → awswiz mfa -p codetria

SSO sessions:
  boostivity    ✔ signed in — 6h 12m left

Active profile: default (AWS_PROFILE not set)

Sessions created by awswiz record their expiration (aws_session_expiration) so status can tell you before AWS fails with a cryptic ExpiredToken.

awswiz exec

Run one command with a profile's credentials — no shell exports, no [default] rewriting: awswiz exec -p horsego-mfa -- aws s3 ls. Everything after -- is passed through untouched. Warns upfront if the session is already expired.

awswiz console

awswiz console -p prod opens the AWS web console in your browser, already signed in with that profile (via the AWS sign-in federation endpoint). Works with long-lived keys (federation token), SSO and role profiles. --print-url prints the link instead of opening the browser — note the URL itself is a short-lived credential.

awswiz mfa

The MFA ritual, minus the pain. Pick the profile with your long-lived keys; awswiz auto-discovers your MFA device (via iam:ListMFADevices), asks for the 6-digit code, and stores a temporary session as <profile>-mfa — the long-standing convention. The expiration is shown and recorded, so awswiz status can warn you before it bites.

awswiz mfa                              # interactive
awswiz mfa -p myprofile -c 123456       # non-interactive (scripts/CI)

awswiz assume

Assume a role in another account using a source profile's credentials. Prompts for MFA when the source needs it, then writes the temporary credentials to a profile you name.

awswiz login (SSO)

Picks the SSO profile straight from your config — resolving the modern [sso-session] sections, so you never type the start URL — and runs the IAM Identity Center device-authorization flow: your browser opens, you approve, done. The token is cached exactly where the SDK and the aws CLI look for it (session-name key for modern configs, start-URL key for legacy ones), so everything else just works afterwards. And it doesn't merely claim success: it verifies the profile resolves credentials via STS and shows you the account you landed in.

awswiz use

A tool can't change your parent shell's environment, so use prints the exact line for your shell (export AWS_PROFILE=…, PowerShell $env:…, fish set -x …). Prefer no env var? awswiz use <profile> --default copies the profile into [default] so plain aws/SDK calls use it everywhere.

awswiz doctor

Verifies your ~/.aws files exist, counts your profiles, and — crucially — checks your clock against AWS. MFA codes are time-based, so a skewed clock produces baffling "invalid token" errors; doctor catches it.

How it works

| Concern | Approach | |---|---| | Profiles | awswiz reads/writes ~/.aws/config and ~/.aws/credentials directly, with a comment-preserving INI editor — your formatting and comments survive. | | MFA / assume-role | @aws-sdk/client-sts (GetSessionToken, AssumeRole). | | MFA device discovery | @aws-sdk/client-iam (ListMFADevices). | | SSO | @aws-sdk/client-sso-oidc device flow, token cached with the same keys the CLI uses. | | Web console sign-in | AWS sign-in federation endpoint — GetFederationToken for long-lived keys, direct temporary credentials for SSO/role profiles. | | Session expiry | mfa/assume record aws_session_expiration in the credentials file; status and exec read it. |

No aws CLI is spawned or required. Credentials files are written with 0600 permissions on Unix, and secrets are never logged.

Non-interactive mode & AI agents

The wizards are for humans, but the credential commands also take flags so scripts, CI and AI coding agents can run them headless — a bare interactive command in a non-TTY context fails fast instead of hanging:

awswiz mfa --profile prod --code 123456
awswiz assume --profile prod --role arn:aws:iam::123456789012:role/Admin --code 123456
awswiz exec -p prod -- aws s3 ls
awswiz region prod eu-west-1
awswiz use prod --default
awswiz status        # read-only, always safe

The repo ships an AGENTS.md with the full non-interactive matrix and the security rules agents should follow (never pass secrets as flags, never log sign-in URLs). awswiz deliberately does not accept access keys as CLI flags — they would leak into shell history.

Language

awswiz follows your system locale (English or Spanish). Force it for one run with the AWSWIZ_LANG environment variable (AWSWIZ_LANG=es awswiz whoami).

License

MIT © Facundo Sichi