feature request: aws-vault logout
bevel-zgates opened this issue · comments
I make a lot of use of aws-vault login <profile>
which is awesome and lets me bounce around accounts, and validate config etc, etc. However, I constantly run into the issue where I cannot initialize a session on AWS bevause my old session is still active. Any way that we could get an aws-vault logout
that would allow us to cull the active session. Or perhaps a aws-vault login -f <profile>
would be easier to implement/cleaner.
$ aws-vault
usage: aws-vault [<flags>] <command> [<args> ...]
A vault for securely storing and accessing AWS credentials in development environments.
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--version Show application version.
--debug Show debugging output
--backend=keychain Secret backend to use [keychain pass file] ($AWS_VAULT_BACKEND)
--prompt=terminal Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT)
--keychain="aws-vault" Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME)
--secret-service-collection="awsvault"
Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME)
--pass-dir=PASS-DIR Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR)
--pass-cmd=PASS-CMD Name of the pass executable ($AWS_VAULT_PASS_CMD)
--pass-prefix=PASS-PREFIX Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX)
--file-dir="~/.awsvault/keys/"
Directory for the "file" password store ($AWS_VAULT_FILE_DIR)
Commands:
help [<command>...]
Show help.
[....]
clear [<profile>]
Clear temporary credentials from the secure keystore
see clear
So I played around with this a bit today, and unfortunately it doesn't look like the aws-vault clear
methods affect the login sessions. I've still got an active cookie (session maybe?) with the aws console. I tried a few other permutations as well too:
- Login direct with --no-session
- Login with IAM user
- Login with assumed role
- Login with sso account
Got this same result with each:
Looks like the prompt is just having us hit this: https://signin.aws.amazon.com/oauth?Action=logout
Unfortunately this is not something aws-vault will be able to achieve. The auth cookie is stored in your browser. The best you could do is create a shell alias for open https://AWS_LOGOUT_URL