Skip to content

Instantly share code, notes, and snippets.

@JustinJohnWilliams

JustinJohnWilliams/aws

Last active April 6, 2023 19:03
Show Gist options
  • Save JustinJohnWilliams/bbf84237d4e37dc555d171ee2981d51c to your computer and use it in GitHub Desktop.
Save JustinJohnWilliams/bbf84237d4e37dc555d171ee2981d51c to your computer and use it in GitHub Desktop.
Download ZIP
dots
Raw
aws
#!/bin/bash
function __aws-login-as {
local account="$1"
aws-logout
echo >&2 "Logging in for $account account..."
local access_key_id="$(pass "aws/$account/access_key_id")"
local secret_access_key="$(pass "aws/$account/secret_access_key")"
local mfa_device="$(pass "aws/$account/mfa_device")"
local mfa_secret="$(pass "aws/$account/mfa_secret")"
if [[ -z $access_key_id || -z $secret_access_key || -z $mfa_device || -z $mfa_secret ]]; then
echo -e >&2 "\x1B[31mError: Missing AWS access keys or MFA secret.\x1B[39m"
return 1
fi
export AWS_ACCESS_KEY_ID="$access_key_id"
export AWS_SECRET_ACCESS_KEY="$secret_access_key"
echo >&2 "Using access key ID $access_key_id to get a temporary session token."
local session_token_response
session_token_response=$(aws sts get-session-token \
--serial-number "$mfa_device" \
--token-code "$(oathtool --totp=sha1 --base32 "$mfa_secret")" 2>&1)
if [[ "${session_token_response/\"SessionToken\"\:}" = "$session_token_response" ]]; then
echo -e >&2 "\x1B[31mInitial authentication failed with error:\x1B[39m $session_token_response"
aws-logout
return 1
else
echo -e >&2 "\x1B[32mInitial authentication succeeded.\x1B[39m"
local session_token="$(echo "$session_token_response" | jq -r '.Credentials.SessionToken')"
local session_expiration="$(echo "$session_token_response" | jq -r '.Credentials.Expiration')"
export AWS_ACCESS_KEY_ID="$(echo "$session_token_response" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "$session_token_response" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$session_token"
export AWS_SESSION_EXPIRATION="$session_expiration"
export AWS_ACCOUNT="$(aws sts get-caller-identity | jq -r '.Account')"
echo >&2 "Switching to use temporary access key ID $AWS_ACCESS_KEY_ID, which expires at $session_expiration"
fi
}
function __aws-assume-role {
local account_id
case "$1" in
dev)
account_id="123456789012"
;;
prod)
account_id="098765432109"
;;
*)
account_id="$1"
;;
esac
local role_name
case "$2" in
full)
role_name="allow-full-access-from-security"
;;
read)
role_name="allow-read-only-access-from-security"
;;
*)
color_print 31 "Invalid access type argument specified. Must be one of 'full' or 'read'"
return
;;
esac
local role_arn="arn:aws:iam::$account_id:role/$role_name"
color_print 95 "Assuming role %s" "$role_arn" >&2
local assume_role_response
assume_role_response=$(aws sts assume-role --role-arn "$role_arn" --role-session-name "$USER" 2>&1)
if [[ "${assume_role_response/error}" = "$assume_role_response" ]]; then
color_print 32 "Assume IAM role succeeded." >&2
else
color_print 31 "Assuming IAM role failed with error: %s" "$assume_role_response" >&2
aws-logout
return
fi
color_print 32 "Set final temporary AWS_ACCESS_KEY_ID and associated secret key and session token" >&2
export AWS_ACCESS_KEY_ID="$(echo "$assume_role_response" | jq -r '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo "$assume_role_response" | jq -r '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo "$assume_role_response" | jq -r '.Credentials.SessionToken')"
export AWS_SESSION_EXPIRATION="$(echo "$assume_role_response" | jq -r '.Credentials.Expiration')"
export AWS_ACCOUNT="$(aws sts get-caller-identity | jq -r '.Account')"
}
function aws-status {
aws sts get-caller-identity;
}
function aws-mycorp-security {
__aws-login-as mycorp-security
if [ $# -eq 0 ]
then
return
fi
__aws-assume-role "$@"
}
function aws-env { printenv | grep AWS; }
function aws-logout {
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_EXPIRATION AWS_SESSION_TOKEN AWS_PROFILE AWS_DEFAULT_REGION AWS_ACCOUNT AWS_REGION;
}
Raw
random
#!/bin/bash
function urlencode() {
python -c 'import urllib, sys; print urllib.quote(sys.argv[1], sys.argv[2])' \
"$1" "$urlencode_safe"
}
function dad { DAD_JOKE=$(curl -s -H "Accept: text/plain" https://icanhazdadjoke.com/); echo "$DAD_JOKE"; }
function yank-cuid { cuid -s | tr -d '\n' | pbcopy; echo $(pbpaste); }
function yank-cuid-long { cuid | tr -d '\n' | pbcopy; echo $(pbpaste); }
function set_color_mode_elevated() {
tmux select-pane -P 'bg=colour55'
}
function set_color_mode_default() {
tmux select-pane -P 'bg=default'
}
function __set_pane_color() {
local color="bg=colour$1"
tmux select-pane -P $color
}
function yank-totp-aws-mycorp{
__get-totp-for aws/mycorp
}
function yank-totp-aws-me {
__get-totp-for aws/me
}
function __get-totp-for {
ACCOUNT=$1
OTP=$(oathtool --totp=sha1 --base32 "$(pass $ACCOUNT/mfa_secret)")
echo $OTP | tr -d '\n' | pbcopy
echo $OTP
}
function color_print {
local color=$1
shift
printf "\x1B[%sm%s\x1B[39m\n" "$color" "$@"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment