feature request - logout

[mengano-net]

I need to be able to switch connections between multiple AWS accounts/IAM roles. I would love to have an aws-adfs logout implementation, so that I can logout from one role, then again issue aws-adfs login to select another account/role.

• if I log into one, I'm able to access

❯ aws-adfs list
Available profiles:
 * profile mengano                |
 * default                        | arn:aws:iam::<sanitized>:role/ADFS-Admin
❯ aws s3 ls | grep athena
2021-06-23 10:06:21 rsh-arod-athena-query-results
❯

• but if I then try to login again, before the STS session timeout, I can't switch to another account/role, it only shows me details of the current session.

❯ aws-adfs login

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : 'default'
            * AWS region                        : 'us-east-2'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::<sanitized>:role/ADFS-Admin'
            * ADFS Server                       : '<sanitized>'
            * ADFS Session Duration in seconds  : '7200'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '3600'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

❯

My details:

❯ aws-adfs --version
1.24.5
❯
❯ sw_vers
ProductName:	macOS
ProductVersion:	12.1
BuildVersion:	21C52
❯

[yermulnik]

Probably reset is what you're looking for:

> aws-adfs reset --help
Usage: aws-adfs reset [OPTIONS]

  removes stored profile

Options:
  --profile TEXT  AWS cli profile that will be removed
  --help          Show this message and exit.

[mengano-net]

Thanks for your time and reply.
Um … almost but not quite… let me explain:

Using aws-adfs reset removes the aws cli profile entirely, deleting it from ~/.aws/config, also removing any custom entries I may have in that profile.
I would much rather have an aws adfs logout that would remove the session tokens, leaving the rest of the profile in intact

[mattmauriello]

Sorry this is so late....
I do this by declaring a unique profile name during the login command.
to be specific, I'm using the "credential-process" method with --stdout set, so that when I do CLI commands i can set --profile DEV, then on the next command --profile QA, for example.
when i added all my ~/.aws/credntial entries without their own --profile flags, I had the same behavior you describe. adding a --profile flaf for the login command (which I happen to set as the same value as the CLI profile name) got me exactly what I needed. from there, you can specify the profile you want, or do
export AWS_PROFILE=profileName
and it will remain set as long as you need.

[mengano-net]

@mattmauriello
Thanks. Yup, that's what I did as well. I think however, for completeness sake, you should consider adding a --logout parameter, so that you can discard AWS CLI access tokens from a profile and session, instead of waiting until they expire.

[Bozz95]

I'm late on the argument but if you want to reset your adfs connection you just need to delete the directory ~/.aws/adfs_cookies_XXXXXXXXXXXXXXXX.