Yloganathan · May 12, 2019 05:23
diff --git a/get-aws-creds.sh b/get-aws-creds.sh
 #!/bin/bash

 # This uses MFA devices to get temporary (eg 12 hour) credentials.  Requires
 # a TTY for user input.
 #
 # GPL 2 or higher

 if [ ! -t 0 ]
 then
  echo Must be on a tty >&2
  exit 255
 fi

 identity=$(aws sts get-caller-identity)
 username=$(echo -- "$identity" | sed -n 's!.*"arn:aws:iam::.*:user/\(.*\)".*!\1!p')
 if [ -z "$username" ]
 then
  echo "Can not identify who you are.  Looking for a line like
    arn:aws:iam::.....:user/FOO_BAR
 but did not find one in the output of
  aws sts get-caller-identity

 $identity" >&2
  exit 255
 fi

 echo You are: $username >&2

 mfa=$(aws iam list-mfa-devices --user-name "$username")
 device=$(echo -- "$mfa" | sed -n 's!.*"SerialNumber": "\(.*\)".*!\1!p')
 if [ -z "$device" ]
 then
  echo "Can not find any MFA device for you.  Looking for a SerialNumber
 but did not find one in the output of
  aws iam list-mfa-devices --username \"$username\"

 $mfa" >&2
  exit 255
 fi

 echo Your MFA device is: $device >&2

 echo -n "Enter your MFA code now: " >&2
 read code

 tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code)

 secret=$(echo -- "$tokens" | sed -n 's!.*"SecretAccessKey": "\(.*\)".*!\1!p')
 session=$(echo -- "$tokens" | sed -n 's!.*"SessionToken": "\(.*\)".*!\1!p')
 access=$(echo -- "$tokens" | sed -n 's!.*"AccessKeyId": "\(.*\)".*!\1!p')
 expire=$(echo -- "$tokens" | sed -n 's!.*"Expiration": "\(.*\)".*!\1!p')

 if [ -z "$secret" -o -z "$session" -o -z "$access" ]
 then
  echo "Unable to get temporary credentials.  Could not find secret/access/session entries

 $tokens" >&2
  exit 255
 fi

 echo 'Removing old mfa setting'
 sed -i '' '/mfa/,$d' ~/.aws/credentials

 echo 'Push new mfa token, key, id to credentials'
 echo AWS_SESSION_TOKEN=$session
 echo AWS_SECRET_ACCESS_KEY=$secret
 echo AWS_ACCESS_KEY_ID=$access

 echo [mfa] >> ~/.aws/credentials
 echo AWS_SESSION_TOKEN=$session >> ~/.aws/credentials
 echo AWS_SECRET_ACCESS_KEY=$secret >> ~/.aws/credentials
 echo AWS_ACCESS_KEY_ID=$access >> ~/.aws/credentials

 echo Keys valid until $expire >&2
	#!/bin/bash

	# This uses MFA devices to get temporary (eg 12 hour) credentials. Requires
	# a TTY for user input.
	#
	# GPL 2 or higher

	if [ ! -t 0 ]
	then
	echo Must be on a tty >&2
	exit 255
	fi

	identity=$(aws sts get-caller-identity)
	username=$(echo -- "$identity" \| sed -n 's!."arn:aws:iam::.:user/\(.\)".!\1!p')
	if [ -z "$username" ]
	then
	echo "Can not identify who you are. Looking for a line like
	arn:aws:iam::.....:user/FOO_BAR
	but did not find one in the output of
	aws sts get-caller-identity

	$identity" >&2
	exit 255
	fi

	echo You are: $username >&2

	mfa=$(aws iam list-mfa-devices --user-name "$username")
	device=$(echo -- "$mfa" \| sed -n 's!."SerialNumber": "\(.\)".*!\1!p')
	if [ -z "$device" ]
	then
	echo "Can not find any MFA device for you. Looking for a SerialNumber
	but did not find one in the output of
	aws iam list-mfa-devices --username \"$username\"

	$mfa" >&2
	exit 255
	fi

	echo Your MFA device is: $device >&2

	echo -n "Enter your MFA code now: " >&2
	read code

	tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code)

	secret=$(echo -- "$tokens" \| sed -n 's!."SecretAccessKey": "\(.\)".*!\1!p')
	session=$(echo -- "$tokens" \| sed -n 's!."SessionToken": "\(.\)".*!\1!p')
	access=$(echo -- "$tokens" \| sed -n 's!."AccessKeyId": "\(.\)".*!\1!p')
	expire=$(echo -- "$tokens" \| sed -n 's!."Expiration": "\(.\)".*!\1!p')

	if [ -z "$secret" -o -z "$session" -o -z "$access" ]
	then
	echo "Unable to get temporary credentials. Could not find secret/access/session entries

	$tokens" >&2
	exit 255
	fi

	echo 'Removing old mfa setting'
	sed -i '' '/mfa/,$d' ~/.aws/credentials

	echo 'Push new mfa token, key, id to credentials'
	echo AWS_SESSION_TOKEN=$session
	echo AWS_SECRET_ACCESS_KEY=$secret
	echo AWS_ACCESS_KEY_ID=$access

	echo [mfa] >> ~/.aws/credentials
	echo AWS_SESSION_TOKEN=$session >> ~/.aws/credentials
	echo AWS_SECRET_ACCESS_KEY=$secret >> ~/.aws/credentials
	echo AWS_ACCESS_KEY_ID=$access >> ~/.aws/credentials

	echo Keys valid until $expire >&2