aws-adfs icon indicating copy to clipboard operation
aws-adfs copied to clipboard

Published 20 hours ago verified publisher icon venth

feature request - logout

Open mengano-net opened this issue 3 years ago • 5 comments

I need to be able to switch connections between multiple AWS accounts/IAM roles. I would love to have an aws-adfs logout implementation, so that I can logout from one role, then again issue aws-adfs login to select another account/role.

  • if I log into one, I'm able to access
❯ aws-adfs list
Available profiles:
 * profile mengano                |
 * default                        | arn:aws:iam::<sanitized>:role/ADFS-Admin
❯ aws s3 ls | grep athena
2021-06-23 10:06:21 rsh-arod-athena-query-results
❯
  • but if I then try to login again, before the STS session timeout, I can't switch to another account/role, it only shows me details of the current session.
❯ aws-adfs login

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : 'default'
            * AWS region                        : 'us-east-2'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::<sanitized>:role/ADFS-Admin'
            * ADFS Server                       : '<sanitized>'
            * ADFS Session Duration in seconds  : '7200'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '3600'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

❯

My details:

❯ aws-adfs --version
1.24.5
❯
❯ sw_vers
ProductName:	macOS
ProductVersion:	12.1
BuildVersion:	21C52
❯

mengano-net avatar Jan 05 '22 20:01 mengano-net

Probably reset is what you're looking for:

> aws-adfs reset --help
Usage: aws-adfs reset [OPTIONS]

  removes stored profile

Options:
  --profile TEXT  AWS cli profile that will be removed
  --help          Show this message and exit.

yermulnik avatar Jan 05 '22 20:01 yermulnik

Thanks for your time and reply. Um … almost but not quite… let me explain:

Using aws-adfs reset removes the aws cli profile entirely, deleting it from ~/.aws/config, also removing any custom entries I may have in that profile. I would much rather have an aws adfs logout that would remove the session tokens, leaving the rest of the profile in intact

mengano-net avatar Jan 06 '22 02:01 mengano-net

Sorry this is so late.... I do this by declaring a unique profile name during the login command. to be specific, I'm using the "credential-process" method with --stdout set, so that when I do CLI commands i can set --profile DEV, then on the next command --profile QA, for example. when i added all my ~/.aws/credntial entries without their own --profile flags, I had the same behavior you describe. adding a --profile flaf for the login command (which I happen to set as the same value as the CLI profile name) got me exactly what I needed. from there, you can specify the profile you want, or do export AWS_PROFILE=profileName and it will remain set as long as you need.

mattmauriello avatar May 18 '22 19:05 mattmauriello

@mattmauriello Thanks. Yup, that's what I did as well. I think however, for completeness sake, you should consider adding a --logout parameter, so that you can discard AWS CLI access tokens from a profile and session, instead of waiting until they expire.

mengano-net avatar May 27 '22 15:05 mengano-net

I'm late on the argument but if you want to reset your adfs connection you just need to delete the directory ~/.aws/adfs_cookies_XXXXXXXXXXXXXXXX.

Bozz95 avatar May 25 '23 09:05 Bozz95