-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathget-aws-creds
executable file
·147 lines (122 loc) · 4.53 KB
/
get-aws-creds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash
# This uses MFA devices to get temporary (eg 12 hour) credentials. Requires
# a TTY for user input.
#
# GPL 2 or higher
if [ ! -t 0 ]
then
echo Must be on a tty >&2
exit 255
fi
config_source_profile=$(aws configure get source_profile)
if [ -n "$config_source_profile" ]
then
config_aws_access_key_id=$(aws configure get aws_access_key_id --profile $config_source_profile)
config_aws_secret_access_key=$(aws configure get aws_secret_access_key --profile $config_source_profile)
else
config_aws_access_key_id=$(aws configure get aws_access_key_id)
config_aws_secret_access_key=$(aws configure get aws_secret_access_key)
fi
config_region=$(aws configure get region)
config_mfa_device=$(aws configure get mfa_serial)
config_role_arn=$(aws configure get role_arn)
config_duration_seconds=$(aws configure get duration_seconds)
if [ -z "$config_duration_seconds" ]
then
config_duration_seconds=43200
fi
unset AWS_PROFILE
export AWS_SECRET_ACCESS_KEY=$config_aws_secret_access_key
export AWS_ACCESS_KEY_ID=$config_aws_access_key_id
if [ -n "$AWS_SESSION_TOKEN" ]
then
echo "Session token found. This can not be used to generate a new token.
unset AWS_SESSION_TOKEN AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID
and then ensure you have a profile with the normal access key credentials or
set the variables to the normal keys.
" >&2
exit 255
fi
if [ -z "$config_mfa_device" ]
then
identity=$(aws sts get-caller-identity)
username=$(echo -- "$identity" | sed -n 's!.*"arn:aws:iam::.*:user/\(.*\)".*!\1!p')
if [ -z "$username" ]
then
echo "Can not identify who you are. Looking for a line like
arn:aws:iam::.....:user/FOO_BAR
but did not find one in the output of
aws sts get-caller-identity
$identity" >&2
exit 255
fi
echo You are: $username >&2
mfa=$(aws iam list-mfa-devices --user-name "$username")
device=$(echo -- "$mfa" | sed -n 's!.*"SerialNumber": "\(.*\)".*!\1!p')
if [ -z "$device" ]
then
echo "Can not find any MFA device for you. Looking for a SerialNumber
but did not find one in the output of
aws iam list-mfa-devices --username \"$username\"
$mfa" >&2
exit 255
fi
else
device=$config_mfa_device
fi
echo Your MFA device is: $device >&2
if [ -z "$AWS_MFA_CODE" ]
then
echo -n "Enter your MFA code now: " >&2
read code
else
code=$AWS_MFA_CODE
fi
tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code --duration-seconds 3600)
secret=$(echo -- "$tokens" | sed -n 's!.*"SecretAccessKey": "\(.*\)".*!\1!p')
session=$(echo -- "$tokens" | sed -n 's!.*"SessionToken": "\(.*\)".*!\1!p')
access=$(echo -- "$tokens" | sed -n 's!.*"AccessKeyId": "\(.*\)".*!\1!p')
expire=$(echo -- "$tokens" | sed -n 's!.*"Expiration": "\(.*\)".*!\1!p')
if [ -z "$secret" -o -z "$session" -o -z "$access" ]
then
echo "Unable to get temporary credentials. Could not find secret/access/session entries
$tokens" >&2
exit 255
fi
if [ -z "$DESTINATION_PROFILE" ]
then
destination_profile="current_session"
else
destination_profile=$DESTINATION_PROFILE
fi
if [ -n "$config_region" ]
then
echo export AWS_DEFAULT_REGION=$config_region
aws configure set region $config_region --profile $destination_profile
fi
if [ -z "$config_role_arn" ]
then
echo export AWS_SESSION_TOKEN=$session
echo export AWS_SECRET_ACCESS_KEY=$secret
echo export AWS_ACCESS_KEY_ID=$access
aws configure set aws_access_key_id $access --profile $destination_profile
aws configure set aws_secret_access_key $secret --profile $destination_profile
aws configure set aws_session_token $session --profile $destination_profile
else
export AWS_SESSION_TOKEN=$session
export AWS_SECRET_ACCESS_KEY=$secret
export AWS_ACCESS_KEY_ID=$access
echo Assuming role: $config_role_arn >&2
tokens=$(aws sts assume-role --role-arn $config_role_arn --role-session-name get-aws-creds --duration-seconds $config_duration_seconds)
secret=$(echo -- "$tokens" | sed -n 's!.*"SecretAccessKey": "\(.*\)".*!\1!p')
session=$(echo -- "$tokens" | sed -n 's!.*"SessionToken": "\(.*\)".*!\1!p')
access=$(echo -- "$tokens" | sed -n 's!.*"AccessKeyId": "\(.*\)".*!\1!p')
expire=$(echo -- "$tokens" | sed -n 's!.*"Expiration": "\(.*\)".*!\1!p')
echo export AWS_SESSION_TOKEN=$session
echo export AWS_SECRET_ACCESS_KEY=$secret
echo export AWS_ACCESS_KEY_ID=$access
aws configure set aws_access_key_id $access --profile $destination_profile
aws configure set aws_secret_access_key $secret --profile $destination_profile
aws configure set aws_session_token $session --profile $destination_profile
fi
echo Keys valid until $expire >&2