99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.35k stars 816 forks source link

Feature: Automatically logout before login #721

Open tm-lmathieu opened 3 years ago

tm-lmathieu commented 3 years ago

Using aws-vault login while already logged in opens a window that tells you to log out. Could there be a way to logout automatically?

moltar commented 3 years ago

Came here to open the same issue 😁

I noticed that SSO console links for "Management Console" do not require logout. Clicking any of the links in SSO logs you in right away.

While when aws-vault login $PROFILE brings up a "you need to logout" screen first when switching between accounts.

Links point to:

https://${SSO_SUBDOMAIN}.awsapps.com/start/#/saml/custom/${ACCOUNT_ID}%20%28${ACCOUNT_NAME}%29/${SOME_SORT_OF_TOKEN}%3D%3D

Management Console

This works automatically.

screenshot-20210612T074252-GlsrHYHv


Manual Logout

screenshot-20210612T074544-xsi0i0gl

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

moltar commented 2 years ago

GitHub stale bot considered harmful

cob16 commented 10 months ago

This annoys me quite a lot as well. I thought about making a browser extension that would auto logout and reload the link when it detected this page, but I settled on making a quick bash function that I put in my ~/.bashrc instead.

aws-vault() {
    if [[ $@ = login* ]]; then
        echo "logging out first"
        command xdg-open https://eu-west-2.console.aws.amazon.com/cloudformation/logout\!doLogout
        command aws-vault "$@"
    else
        command aws-vault "$@"
    fi
}

Hope that helps you @tm-lmathieu & @moltar :grin:

tm-lmathieu commented 10 months ago

I also found a solution, I should have posted it here a good while ago. Here's my bash alias:

alias yalogin='f(){sensible-browser --new-window https://signin.aws.amazon.com/oauth\?Action\=logout && sleep 1 && wmctrl -c :ACTIVE: && aws-vault --prompt ykman login $1}; f'

It launches a new window of my default browser on the logout URL, waits for one second, uses wmcrtl to close the active window, then runs the login command with my Yubikey for the 2FA.

amanibhavam commented 8 months ago

I found a way to log out and redirect to the federated login link using https://signin.aws.amazon.com/oauth?Action=logout&redirect_uri=${aws_vault_login_url}"

# modify the federated login link to use the us-east-1 endpoint
url=$(aws-vault login "${account}" -s | sed 's#://#://us-east-1.#')

# urlencode the federated link because it will be embedded as a query parameter
encoded_url=$(printf "%s" "$url" | python -c 'import sys; from urllib.parse import quote_plus; print(quote_plus(sys.stdin.read().strip()))')

# use the oauth URL with Action=logout and a redirect_uri set to the federated link
open "https://signin.aws.amazon.com/oauth?Action=logout&redirect_uri=${encoded_url}"

I could only get this to work if the federated link is modified to use the us-east-1 endpoint. Didn't find documentation on why this trick works.