feature request: aws-vault logout

Question

feature request: aws-vault logout

bevel-zgates opened this issue 2 years ago · comments

I make a lot of use of aws-vault login <profile> which is awesome and lets me bounce around accounts, and validate config etc, etc. However, I constantly run into the issue where I cannot initialize a session on AWS bevause my old session is still active. Any way that we could get an aws-vault logout that would allow us to cull the active session. Or perhaps a aws-vault login -f <profile> would be easier to implement/cleaner.

Fernando Miguel · Answer 1 · Fri Sep 09 2022 19:10:20 GMT+0800 (China Standard Time)

$ aws-vault
usage: aws-vault [<flags>] <command> [<args> ...]

A vault for securely storing and accessing AWS credentials in development environments.

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --version                  Show application version.
  --debug                    Show debugging output
  --backend=keychain         Secret backend to use [keychain pass file] ($AWS_VAULT_BACKEND)
  --prompt=terminal          Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT)
  --keychain="aws-vault"     Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME)
  --secret-service-collection="awsvault"
                             Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME)
  --pass-dir=PASS-DIR        Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR)
  --pass-cmd=PASS-CMD        Name of the pass executable ($AWS_VAULT_PASS_CMD)
  --pass-prefix=PASS-PREFIX  Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX)
  --file-dir="~/.awsvault/keys/"
                             Directory for the "file" password store ($AWS_VAULT_FILE_DIR)

Commands:
  help [<command>...]
    Show help.

[....]

  clear [<profile>]
    Clear temporary credentials from the secure keystore

see clear

Zach · Answer 2 · Fri Sep 09 2022 21:13:42 GMT+0800 (China Standard Time)

Good call, let me play around with that. Is there a way to keep the STS session intact while just disassociating it from the browser? Some of my environments have SSO hoops to jump through. And it would nice to still be able to exec against them but switch around the browser context.

On Fri, Sep 9, 2022, at 06:10, Fernando Miguel wrote: `$ aws-vault usage: aws-vault [<flags>] <command> [<args> ...] A vault for securely storing and accessing AWS credentials in development environments. Flags: --help Show context-sensitive help (also try --help-long and --help-man). --version Show application version. --debug Show debugging output --backend=keychain Secret backend to use [keychain pass file] ($AWS_VAULT_BACKEND) --prompt=terminal Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT) --keychain="aws-vault" Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME) --secret-service-collection="awsvault" Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME) --pass-dir=PASS-DIR Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR) --pass-cmd=PASS-CMD Name of the pass executable ($AWS_VAULT_PASS_CMD) --pass-prefix=PASS-PREFIX Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX) --file-dir="~/.awsvault/keys/" Directory for the "file" password store ($AWS_VAULT_FILE_DIR) Commands: help [<command>...] Show help. [....] clear [<profile>] Clear temporary credentials from the secure keystore

`

see `clear` — Reply to this email directly, view it on GitHub <#1032 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASTN65JXSZOBM6F3CHIHSV3V5MLKPANCNFSM6AAAAAAQH63OJA>. You are receiving this because you authored the thread.Message ID: ***@***.***>

Zach Gates ** ***@***.*** 737.999.1889

Zach · Answer 3 · Fri Sep 09 2022 21:14:05 GMT+0800 (China Standard Time)

When I get back in front of a computer I'll test it out. Maybe there's a flag for that clear sub command.

On Fri, Sep 9, 2022, at 08:13, Zach Gates wrote: Good call, let me play around with that. Is there a way to keep the STS session intact while just disassociating it from the browser? Some of my environments have SSO hoops to jump through. And it would nice to still be able to exec against them but switch around the browser context. On Fri, Sep 9, 2022, at 06:10, Fernando Miguel wrote: > > > `$ aws-vault > usage: aws-vault [<flags>] <command> [<args> ...] > > A vault for securely storing and accessing AWS credentials in development environments. > > Flags: > --help Show context-sensitive help (also try --help-long and --help-man). > --version Show application version. > --debug Show debugging output > --backend=keychain Secret backend to use [keychain pass file] ($AWS_VAULT_BACKEND) > --prompt=terminal Prompt driver to use [kdialog osascript pass terminal ykman zenity] ($AWS_VAULT_PROMPT) > --keychain="aws-vault" Name of macOS keychain to use, if it doesn't exist it will be created ($AWS_VAULT_KEYCHAIN_NAME) > --secret-service-collection="awsvault" > Name of secret-service collection to use, if it doesn't exist it will be created ($AWS_VAULT_SECRET_SERVICE_COLLECTION_NAME) > --pass-dir=PASS-DIR Pass password store directory ($AWS_VAULT_PASS_PASSWORD_STORE_DIR) > --pass-cmd=PASS-CMD Name of the pass executable ($AWS_VAULT_PASS_CMD) > --pass-prefix=PASS-PREFIX Prefix to prepend to the item path stored in pass ($AWS_VAULT_PASS_PREFIX) > --file-dir="~/.awsvault/keys/" > Directory for the "file" password store ($AWS_VAULT_FILE_DIR) > > Commands: > help [<command>...] > Show help. > > [....] > > clear [<profile>] > Clear temporary credentials from the secure keystore

`

> see `clear` > > > > — > Reply to this email directly, view it on GitHub <#1032 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASTN65JXSZOBM6F3CHIHSV3V5MLKPANCNFSM6AAAAAAQH63OJA>. > You are receiving this because you authored the thread.Message ID: ***@***.***> > > Zach Gates ** ***@***.*** 737.999.1889

Zach Gates ** ***@***.*** 737.999.1889

Zach · Answer 4 · Sun Sep 11 2022 02:17:07 GMT+0800 (China Standard Time)

So I played around with this a bit today, and unfortunately it doesn't look like the aws-vault clear methods affect the login sessions. I've still got an active cookie (session maybe?) with the aws console. I tried a few other permutations as well too:

Login direct with --no-session
Login with IAM user
Login with assumed role
Login with sso account

Got this same result with each:

Looks like the prompt is just having us hit this: https://signin.aws.amazon.com/oauth?Action=logout

Michael Tibben · Answer 5 · Mon Dec 19 2022 12:58:48 GMT+0800 (China Standard Time)

Unfortunately this is not something aws-vault will be able to achieve. The auth cookie is stored in your browser. The best you could do is create a shell alias for open https://AWS_LOGOUT_URL