Recognise more AWS env vars supported in the SDK

USAGE.md

@@ -41,7 +41,7 @@ $ aws-vault exec --help
 
 aws-vault uses your `~/.aws/config` to load AWS config. This should work identically to the config specified by the [aws-cli docs](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html).
 
-aws-vault also recognises an extra config variable, `parent_profile`. This variable sets a profile to inherit configuration from. In the following example, the `work-admin` profile inherits `region` and `mfa_serial` from the `work` profile.
+aws-vault also recognises an extra config variable, `parent_profile`, which is not recognised by the aws-cli. This variable allows a profile to inherit configuration from another profile. In the following example, the `work-admin` profile inherits `region` and `mfa_serial` from the `work` profile.
 
 ```ini
 [profile work]
@@ -60,24 +60,27 @@ The following environment variables can be set to override the default flag
 values of `aws-vault` and its subcommands.
 
 For the `aws-vault` command:
-
 * `AWS_VAULT_BACKEND`: Secret backend to use (see the flag `--backend`)
 * `AWS_VAULT_KEYCHAIN_NAME`: Name of macOS keychain to use (see the flag `--keychain`)
 * `AWS_VAULT_PROMPT`: Prompt driver to use (see the flag `--prompt`)
 * `AWS_VAULT_PASS_PASSWORD_STORE_DIR`: Pass password store directory (see the flag `--pass-dir`)
 * `AWS_VAULT_PASS_CMD`: Name of the pass executable (see the flag `--pass-cmd`)
 * `AWS_VAULT_PASS_PREFIX`: Prefix to prepend to the item path stored in pass (see the flag `--pass-prefix`)
 
-For the `aws-vault exec` subcommand:
-
-* `AWS_ASSUME_ROLE_TTL`: Expiration time for aws assumed role (see the flag `--assume-role-ttl`)
+For the `exec` subcommand:
 * `AWS_SESSION_TTL`:  Expiration time for aws session (see the flag `--session-ttl`)
-* `AWS_MFA_SERIAL`: The identification number of the MFA device to use  (see the flag `--mfa-serial`)
+* `AWS_ASSUME_ROLE_TTL`: Expiration time for aws assumed role (see the flag `--assume-role-ttl`)
 
 For the `aws-vault login` subcommand:
-
 * `AWS_FEDERATION_TOKEN_TTL`: Expiration time for aws console session (see the flag `--federation-token-ttl`)
-* `AWS_MFA_SERIAL`: The identification number of the MFA device to use  (see the flag `--mfa-serial`)
+* `AWS_ASSUME_ROLE_TTL`: Expiration time for aws assumed role (see the flag `--assume-role-ttl`)
+
+For the `exec`, `login` and `rotate` subcommands:
+* `AWS_REGION`: The AWS region
+* `AWS_DEFAULT_REGION`: The AWS region, applied only if `AWS_REGION` isn't set
+* `AWS_ROLE_ARN`: Specifies the ARN of an IAM role
+* `AWS_ROLE_SESSION_NAME`: Specifies the name to attach to the role session
+* `AWS_MFA_SERIAL`: The identification number of the MFA device to use
 
 
 ## Managing Profiles
@@ -213,16 +216,7 @@ source_profile = intermediary
 role_arn = arn:aws:iam::123456789012:role/target
 ```
 
-If desired, you can set your `mfa_serial` with an environment variable `AWS_MFA_SERIAL` or by setting the `--mfa-serial` flag from `aws-vault exec`. This behavior is `aws-vault` specific and isn't supported from the `awscli`.
-
-```shell
-# Set MFA Serial with flag
-$ aws-vault exec --mfa-serial arn:aws:iam::123456789012:mfa/jonsmith my_profile ...
-
-# Set MFA Serial with environment variable
-$ export AWS_MFA_SERIAL=arn:aws:iam::123456789012:mfa/jonsmith
-$ aws-vault exec my_profile ...
-```
+You can also set the `mfa_serial` with the environment variable `AWS_MFA_SERIAL`.
 
 
 ## Removing stored sessions

cli/exec.go

@@ -55,13 +55,6 @@ func ConfigureExecCommand(app *kingpin.Application) {
 		Short('m').
 		StringVar(&input.Config.MfaToken)
 
-	cmd.Flag("mfa-serial-override", "Deprecated, use --mfa-serial instead").
-		Hidden().
-		StringVar(&input.Config.MfaSerial)
-
-	cmd.Flag("mfa-serial", "The identification number of the MFA device to use").
-		StringVar(&input.Config.MfaSerial)
-
 	cmd.Flag("json", "AWS credential helper. Ref: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes").
 		Short('j').
 		BoolVar(&input.CredentialHelper)

cli/login.go

@@ -48,9 +48,6 @@ func ConfigureLoginCommand(app *kingpin.Application) {
 		Short('t').
 		StringVar(&input.Config.MfaToken)
 
-	cmd.Flag("mfa-serial", "The identification number of the MFA device to use").
-		StringVar(&input.Config.MfaSerial)
-
 	cmd.Flag("path", "The AWS service you would like access").
 		StringVar(&input.Path)
 

cli/rotate.go

@@ -24,9 +24,6 @@ func ConfigureRotateCommand(app *kingpin.Application) {
 		HintAction(awsConfigFile.ProfileNames).
 		StringVar(&input.ProfileName)
 
-	cmd.Flag("mfa-serial", "The identification number of the MFA device to use").
-		StringVar(&input.Config.MfaSerial)
-
 	cmd.Action(func(c *kingpin.ParseContext) error {
 		input.Config.MfaPromptMethod = GlobalFlags.PromptDriver
 		input.Keyring = keyringImpl

vault/config.go

@@ -280,14 +280,24 @@ func (c *ConfigLoader) populateFromConfigFile(config *Config, profileName string
 }
 
 func (c *ConfigLoader) populateFromEnv(profile *Config) {
+	if region := os.Getenv("AWS_REGION"); region != "" && profile.Region == "" {
+		log.Printf("Using region %q from AWS_REGION", region)
+		profile.Region = region
+	}
+
 	if region := os.Getenv("AWS_DEFAULT_REGION"); region != "" && profile.Region == "" {
 		log.Printf("Using region %q from AWS_DEFAULT_REGION", region)
 		profile.Region = region
 	}
 
-	if region := os.Getenv("AWS_REGION"); region != "" && profile.Region == "" {
-		log.Printf("Using region %q from AWS_REGION", region)
-		profile.Region = region
+	if roleARN := os.Getenv("AWS_ROLE_ARN"); roleARN != "" && profile.RoleARN == "" {
+		log.Printf("Using role_arn %q from AWS_ROLE_ARN", roleARN)
+		profile.RoleARN = roleARN
+	}
+
+	if roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME"); roleSessionName != "" && profile.RoleSessionName == "" {
+		log.Printf("Using role_session_name %q from AWS_ROLE_SESSION_NAME", roleSessionName)
+		profile.RoleSessionName = roleSessionName
 	}
 
 	if mfaSerial := os.Getenv("AWS_MFA_SERIAL"); mfaSerial != "" && profile.MfaSerial == "" {