saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard

`console` command doesn't logout from aws account before logging in

Open marchenm opened this issue 4 years ago • 3 comments

When using sam2aws console with multiple accounts, the accounts don't automatically log out.

Would it be possible to logout any active sessions and then sign in?

marchenm avatar Jul 30 '21 20:07 marchenm

I'm finding it a chore to have to click that "logout" link and then initiate the command again from the cli.

i used to use aws-vault and the same problem exists on that tool too. some users have posted various workarounds so there is hope for us. (for context: https://github.com/99designs/aws-vault/issues/721)

sonicintrusion avatar Jun 06 '24 15:06 sonicintrusion

Further info (in case anyone is also interested).... the logout function isn't respecting the redirect_uri function. it will always bring up the https://aws.amazon.com/console/ page once it's logged out, so it's pretty impossible to get a clean logout-to-login process working. the messy way is to just do the logout and get saml2aws to open a new page:

example (not working)

open -a "Google Chrome.app" https://signin.aws.amazon.com/oauth?Action=logout&redirect_uri=$(saml2aws -a ${PROFILE} console --link)

example (working):

open -a "Google Chrome.app" https://signin.aws.amazon.com/oauth?Action=logout
saml2aws -a ${PROFILE} console

sonicintrusion avatar Jun 06 '24 15:06 sonicintrusion

oh boy what a rabbit hole... this guy found the working URL - it only works in us-east-1: https://serverfault.com/questions/985255/is-it-possible-to-switch-between-aws-accounts-without-signing-out-first#comment1460111_1097528

working script:

#!/usr/bin/env bash

PROFILE=${1:-default}

chrome="Google Chrome Dev.app"

# this URL works with the redirect_uri
SIGNIN="https://us-east-1.signin.aws.amazon.com/oauth?Action=logout&redirect_uri=https%3A%2F%2Fus-east-1.signin.aws.amazon.com%2Ffederation%3FAction%3Dlogin%26Destination%3Dhttps%253A%252F%252Fus-west-2.console.aws.amazon.com%252Fconsole%252Fhome%26SigninToken"

# this extracts the TOKEN from saml2
TOKEN=$(saml2aws -a ${PROFILE} console --link | cut -d'=' -f5)

# open works on Mac
open -a "${chrome}" "${SIGNIN}=${TOKEN}"

sonicintrusion avatar Jun 06 '24 16:06 sonicintrusion