feature request - logout

[mengano-net]

I need to be able to switch connections between multiple AWS accounts/IAM roles. I would love to have an aws-adfs logout implementation, so that I can logout from one role, then again issue aws-adfs login to select another account/role.

• if I log into one, I'm able to access

  ❯ aws-adfs list
  Available profiles:
  * profile mengano                |
  * default                        | arn:aws:iam::<sanitized>:role/ADFS-Admin
  ❯ aws s3 ls | grep athena
  2021-06-23 10:06:21 rsh-arod-athena-query-results
  ❯

• but if I then try to login again, before the STS session timeout, I can't switch to another account/role, it only shows me details of the current session.

  
  ❯ aws-adfs login
  
      Prepared ADFS configuration as follows:
          * AWS CLI profile                   : 'default'
          * AWS region                        : 'us-east-2'
          * Output format                     : 'json'
          * SSL verification of ADFS Server   : 'ENABLED'
          * Selected role_arn                 : 'arn:aws:iam::<sanitized>:role/ADFS-Admin'
          * ADFS Server                       : '<sanitized>'
          * ADFS Session Duration in seconds  : '7200'
          * Provider ID                       : 'urn:amazon:webservices'
          * S3 Signature Version              : 'None'
          * STS Session Duration in seconds   : '3600'
          * SSPI:                             : 'False'
          * U2F and default method            : 'True'

❯

My details:

❯ aws-adfs --version 1.24.5 ❯ ❯ sw_vers ProductName: macOS ProductVersion: 12.1 BuildVersion: 21C52 ❯

[yermulnik]

Probably reset is what you're looking for:

> aws-adfs reset --help
Usage: aws-adfs reset [OPTIONS]

  removes stored profile

Options:
  --profile TEXT  AWS cli profile that will be removed
  --help          Show this message and exit.

[mengano-net]

Thanks for your time and reply. Um … almost but not quite… let me explain:

Using aws-adfs reset removes the aws cli profile entirely, deleting it from ~/.aws/config, also removing any custom entries I may have in that profile. I would much rather have an aws adfs logout that would remove the session tokens, leaving the rest of the profile in intact

[mattmauriello]

Sorry this is so late.... I do this by declaring a unique profile name during the login command. to be specific, I'm using the "credential-process" method with --stdout set, so that when I do CLI commands i can set --profile DEV, then on the next command --profile QA, for example. when i added all my ~/.aws/credntial entries without their own --profile flags, I had the same behavior you describe. adding a --profile flaf for the login command (which I happen to set as the same value as the CLI profile name) got me exactly what I needed. from there, you can specify the profile you want, or do export AWS_PROFILE=profileName and it will remain set as long as you need.

[mengano-net]

@mattmauriello Thanks. Yup, that's what I did as well. I think however, for completeness sake, you should consider adding a --logout parameter, so that you can discard AWS CLI access tokens from a profile and session, instead of waiting until they expire.

[Bozz95]

I'm late on the argument but if you want to reset your adfs connection you just need to delete the directory ~/.aws/adfs_cookies_XXXXXXXXXXXXXXXX.