v2.4.0

Author: Turtdle

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## v2.4.0 [2026-06-03]
+
+__What's New:__
+
+* Added `awsstsjwt` federation provider support (OIDC-based AWS federation via STS `GetWebIdentityToken`)
+
+__Enhancements:__
+
+* Updated federation provider help text to list all valid providers including `awsstsjwt` parameter format
+
+__Bug Fixes:__
+
+* Added per-profile file locking to prevent concurrent duplicate checkouts, gated behind `checkout_lock` config flag
+
+__Dependencies:__
+
+* Bumped `britive` SDK requirement from `>=4.1.2` to `>=4.6.0`
+
+__Other:__
+
+* None
+
 ## v2.3.2 [2026-04-07]
 
 __What's New:__

docs/index.md

@@ -155,6 +155,15 @@ The custom TLS certificate to use when making HTTP requests.
 
 _Allowed value:_ the path to a custom TLS certificate, e.g. `/location/of/the/CA_BUNDLE_FILE.pem`
 
+#### `checkout_lock`
+
+Enable per-profile file locking to prevent concurrent duplicate checkouts. This is useful when tools like
+credential helpers or automation frameworks resolve credentials from multiple threads or processes simultaneously.
+When enabled, a file-based lock is acquired per profile before performing a checkout, ensuring only one checkout
+occurs at a time for a given profile. Locks are stored in `~/.britive/locks/`.
+
+_Allowed value:_ `true` or `false`
+
 #### `my_access_retrieval_limit`
 
 Limit the number of "My Access" profiles to be retrieved.
@@ -266,7 +275,8 @@ At feature launch the following types of identity providers are supported for wo
 `pybritive` offers some native integrations with the following services.
 
 * Github Actions
-* AWS
+* AWS (STS)
+* AWS (STS via OIDC JWT)
 * Bitbucket
 * Azure System Assigned Managed Identities
 * Azure User Assigned Managed Identities
@@ -318,6 +328,24 @@ pybritive checkout "profile" --federation-provider aws-profile_expirationseconds
 pybritive checkout "profile" --federation-provider aws_expirationseconds
 ```
 
+#### AWS STS via OIDC (JWT)
+
+```sh
+# use awsstsjwt with an AWS CLI profile, audience, signing algorithm, and duration
+# format: awsstsjwt-<profile>|<audience>|<signing_algorithm>|<duration_seconds>
+pybritive checkout "profile" --federation-provider awsstsjwt-myprofile|sts.amazonaws.com|RS256|3600
+
+# use awsstsjwt with only an AWS CLI profile (other params use defaults)
+pybritive checkout "profile" --federation-provider awsstsjwt-myprofile
+
+# use awsstsjwt without an AWS CLI profile (source credentials via the standard credential discovery process)
+pybritive checkout "profile" --federation-provider awsstsjwt
+```
+
+The `awsstsjwt` provider uses the AWS STS `AssumeRoleWithWebIdentity` API to federate using an OIDC JWT token.
+Parameters are pipe-delimited in the format `awsstsjwt-<profile>|<audience>|<signing_algorithm>|<duration_seconds>`.
+All parameters after the profile are optional.
+
 #### Bitbucket
 
 > _note: no additional options are available for bitbucket._

src/pybritive/__init__.py

@@ -1 +1 @@
-__version__ = '2.3.2'
+__version__ = '2.4.0'