add --no-session flag to login command

The flag defaults to false but will be switched to true if the given profile does not have a SourceProfile, since a session token cannot be used to create a sign in url. SessionDuration must be omitted from the request to get the sign in token if the credentials were from an assumed role that used a session.
99designs · May 17, 2019 · 6f1fb7a · 6f1fb7a
1 parent d4cfc81
commit 6f1fb7a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/USAGE.md b/USAGE.md
@@ -80,12 +80,10 @@ mfa_serial = arn:aws:iam::IAM_ACCOUNTID:mfa/work-account
 [profile work-read_only_role]
 role_arn = arn:aws:iam::IAM_ACCOUNTID:role/read_only_role
 source_profile = work
-mfa_serial = arn:aws:iam::IAM_ACCOUNTID:mfa/work-account
 
 [profile work-admin_role]
 role_arn = arn:aws:iam::IAM_ACCOUNTID:role/admin_role
 source_profile = work
-mfa_serial = arn:aws:iam::IAM_ACCOUNTID:mfa/work-account
 ```
 
 ## Listing profiles

diff --git a/cli/login.go b/cli/login.go
@@ -33,12 +33,17 @@ type LoginCommandInput struct {
 	AssumeRoleDuration      time.Duration
 	Region                  string
 	Path                    string
+	NoSession               bool
 }
 
 func ConfigureLoginCommand(app *kingpin.Application) {
 	input := LoginCommandInput{}
 
 	cmd := app.Command("login", "Generate a login link for the AWS Console")
+	cmd.Flag("no-session", "Use root credentials, no session created").
+		Short('n').
+		BoolVar(&input.NoSession)
+
 	cmd.Arg("profile", "Name of the profile").
 		Required().
 		StringVar(&input.Profile)
@@ -80,12 +85,17 @@ func LoginCommand(app *kingpin.Application, input LoginCommandInput) {
 
 	profile, _ := awsConfig.Profile(input.Profile)
 
+	noSession := input.NoSession
+	if profile.SourceProfile == "" {
+		noSession = true
+	}
+
 	provider, err := vault.NewVaultProvider(input.Keyring, input.Profile, vault.VaultOptions{
 		AssumeRoleDuration: input.AssumeRoleDuration,
 		MfaToken:           input.MfaToken,
 		MfaPrompt:          input.MfaPrompt,
 		Path:               input.Path,
-		NoSession:          true,
+		NoSession:          noSession,
 		Config:             awsConfig,
 		Region:             profile.Region,
 	})
@@ -144,7 +154,7 @@ func LoginCommand(app *kingpin.Application, input LoginCommandInput) {
 	q.Add("Session", string(jsonBytes))
 
 	// not needed for federation tokens
-	if !isFederated {
+	if noSession && !isFederated {
 		q.Add("SessionDuration", fmt.Sprintf("%.f", sessionDuration.Seconds()))
 	}