Feature: Automatically logout before login

[tm-lmathieu]

Using aws-vault login while already logged in opens a window that tells you to log out. Could there be a way to logout automatically?

[moltar]

Came here to open the same issue 😁

I noticed that SSO console links for "Management Console" do not require logout. Clicking any of the links in SSO logs you in right away.

While when aws-vault login $PROFILE brings up a "you need to logout" screen first when switching between accounts.

Links point to:

https://${SSO_SUBDOMAIN}.awsapps.com/start/#/saml/custom/${ACCOUNT_ID}%20%28${ACCOUNT_NAME}%29/${SOME_SORT_OF_TOKEN}%3D%3D

---

Management Console

This works automatically.

---

Manual Logout

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[cob16]

This annoys me quite a lot as well.
I thought about making a browser extension that would auto logout and reload the link when it detected this page, but I settled on making a quick bash function that I put in my ~/.bashrc instead.

aws-vault() {
    if [[ $@ = login* ]]; then
        echo "logging out first"
        command xdg-open https://eu-west-2.console.aws.amazon.com/cloudformation/logout\!doLogout
        command aws-vault "$@"
    else
        command aws-vault "$@"
    fi
}

• This function logs out your browser from AWS before running aws-vault login.
• xdg-open opens the default browser (depending on your machine you may need a different command)

Hope that helps you @tm-lmathieu & @moltar 😁

[tm-lmathieu]

I also found a solution, I should have posted it here a good while ago. Here's my bash alias:

alias yalogin='f(){sensible-browser --new-window https://signin.aws.amazon.com/oauth\?Action\=logout && sleep 1 && wmctrl -c :ACTIVE: && aws-vault --prompt ykman login $1}; f'

It launches a new window of my default browser on the logout URL, waits for one second, uses wmcrtl to close the active window, then runs the login command with my Yubikey for the 2FA.

[amanibhavam]

I found a way to log out and redirect to the federated login link using https://signin.aws.amazon.com/oauth?Action=logout&redirect_uri=${aws_vault_login_url}"

# modify the federated login link to use the us-east-1 endpoint
url=$(aws-vault login "${account}" -s | sed 's#://#://us-east-1.#')

# urlencode the federated link because it will be embedded as a query parameter
encoded_url=$(printf "%s" "$url" | python -c 'import sys; from urllib.parse import quote_plus; print(quote_plus(sys.stdin.read().strip()))')

# use the oauth URL with Action=logout and a redirect_uri set to the federated link
open "https://signin.aws.amazon.com/oauth?Action=logout&redirect_uri=${encoded_url}"

I could only get this to work if the federated link is modified to use the us-east-1 endpoint. Didn't find documentation on why this trick works.