Created
August 31, 2021 20:25
-
-
Save parsley42/375b1ad7e60ba98b587dfd5e02b40a5b to your computer and use it in GitHub Desktop.
AWS Session Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# Usage: aws-session <token> (account) | |
# Sets up aws configuration for API access using temporary credentials | |
# See: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ | |
# https://mharrison.org/post/aws_mfa/ | |
usage(){ | |
cat <<EOF | |
Usage: aws-session [-r <region>] ([-i] | <token> (account)) | |
-r <region> - set the region | |
-i - import temporary credentials into default credentials | |
Accounts: kubernetes, k8s-dev, k8s-sandbox | |
EOF | |
exit 1 | |
} | |
while getopts ":ir:" OPT; do | |
case $OPT in | |
i ) | |
IMPORT="true" | |
;; | |
r ) | |
AWS_REGION=$OPTARG | |
;; | |
\? | h) | |
[ "$OPT" != "h" ] && echo "Invalid option: $OPTARG" | |
usage | |
exit 1 | |
;; | |
esac | |
done | |
shift $((OPTIND -1)) | |
if [ "$IMPORT" ] | |
then | |
if [ ! "$AWS_ACCESS_KEY_ID" ] | |
then | |
echo "ERROR: You need to manually set AWS_* vars for import" | |
exit 1 | |
fi | |
echo "Updating default AWS credentials..." | |
aws --profile default configure set aws_access_key_id $AWS_ACCESS_KEY_ID | |
aws --profile default configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | |
aws --profile default configure set aws_session_token $AWS_SESSION_TOKEN | |
if [ "$AWS_REGION" ] | |
then | |
aws --profile default configure set region $AWS_REGION | |
fi | |
echo "AWS session credentials updated." | |
exit 0 | |
fi | |
if [ $# -ne 1 -a $# -ne 2 ] | |
then | |
echo -e "Not enough arguments.\n" | |
usage | |
fi | |
# 8 hours (a workday) | |
TIMEOUT=${SESSION_TIMEOUT-28800} | |
if [ $# -eq 1 ] | |
then | |
TOKEN=$1 | |
else | |
ACCOUNT=$1 | |
TOKEN=$2 | |
fi | |
if ! aws --profile base configure get aws_access_key_id &>/dev/null | |
then | |
echo "Base profile 'base' not found" | |
exit 1 | |
fi | |
echo -n "... getting caller identity: " | |
CALLER=$(aws --profile base --output json sts get-caller-identity) | |
if [ $? -ne 0 ] | |
then | |
echo "Error getting caller identity" | |
exit 1 | |
fi | |
ARN=$(echo $CALLER | jq -r .Arn) | |
echo "$ARN" | |
ARN=${ARN/:user/:mfa} | |
parse-credentials(){ | |
local CREDS="$*" | |
SECRETKEY=$(echo $CREDS | jq -r .Credentials.SecretAccessKey) | |
TOKEN=$(echo $CREDS | jq -r .Credentials.SessionToken) | |
KEYID=$(echo $CREDS | jq -r .Credentials.AccessKeyId) | |
} | |
if [ "$ACCOUNT" ] | |
then | |
case "$ACCOUNT" in | |
kubernetes) | |
ROLE_ARN="arn:aws:iam::631824116433:role/KubernetesAccountAccessRole" | |
;; | |
k8s-dev) | |
ROLE_ARN="arn:aws:iam::068438446535:role/K8sDevAccountAccessRole" | |
;; | |
k8s-sandbox) | |
ROLE_ARN="arn:aws:iam::341081005506:role/K8sSandboxAccountAccessRole" | |
;; | |
esac | |
echo "... getting temporary credentials for '$ACCOUNT' account" | |
parse-credentials $( \ | |
AWS_ACCESS_KEY_ID=$KEYID AWS_SECRET_ACCESS_KEY=$SECRETKEY AWS_SESSION_TOKEN=$TOKEN \ | |
aws --profile base sts assume-role --role-arn "$ROLE_ARN" \ | |
--role-session-name "$USER" --duration-seconds $TIMEOUT \ | |
--serial-number $ARN --token-code $TOKEN) | |
else | |
echo "... getting temporary credentials for main account" | |
parse-credentials $(aws --profile base sts get-session-token \ | |
--duration-seconds $TIMEOUT --serial-number $ARN --token-code $TOKEN) | |
fi | |
echo "... updating profile 'default'" | |
aws --profile default configure set aws_access_key_id $KEYID | |
aws --profile default configure set aws_secret_access_key $SECRETKEY | |
aws --profile default configure set aws_session_token $TOKEN | |
if [ "$AWS_REGION" ] | |
then | |
aws --profile default configure set region $AWS_REGION | |
fi | |
echo "Profile 'default' updated with temporary credentials expiring in $TIMEOUT seconds" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment