afunsten · August 9, 2018 01:36
diff --git a/get_s3_file_ecs.sh b/get_s3_file_ecs.sh
 #!/bin/bash
 # https://gist.github.com/afunsten
 # https://gist.github.com/davidejones/d05f51df75e659111227

 #requirements
 type jq
 type openssl

 while getopts :b:f:o:r: option; do
    case "${option}" in
    	b) bucket="${OPTARG}";;
        f) file="${OPTARG}";;
        o) outputfullpath="${OPTARG}";;
        r) region="${OPTARG}";;
    esac
 done

 #defaults
 : "${bucket:=some-bucket-default}"
 : "${file:=some-file-key-path-default}"
 : "${outputfullpath:=./get_s3_file_output}"
 : "${region:=}"

 #ECS role way...
 ecscreds=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
 RoleArn=$(jq -r '.RoleArn' <<< "$ecscreds")
 aws_access_key_id=$(jq -r '.AccessKeyId' <<< "$ecscreds")
 aws_secret_access_key=$(jq -r '.SecretAccessKey' <<< "$ecscreds")
 token=$(jq -r '.Token' <<< "$ecscreds")

 #EC2 role way...
 #instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
 #aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
 #aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
 #token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | sed -n '/Token/{p;}' | cut -f4 -d'"'`

 date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
 resource="${bucket}/${file}"
 signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
 signature=`/bin/echo -en "${signature_string}" | /usr/bin/openssl sha1 -hmac ${aws_secret_access_key} -binary | base64`
 authorization="AWS ${aws_access_key_id}:${signature}"
 echo "Getting https://s3${region}.amazonaws.com/${resource} using $RoleArn"
 curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"

 md5sum ${outputfullpath}

 #Troubleshooting
 #ls -la ${outputfullpath}
 #echo curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
 #cat ${outputfullpath}
 #echo AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 #echo instance_profile: "$instance_profile"
 #echo ecscreds: "$ecscreds"
 #echo aws_access_key_id: "$aws_access_key_id"
 #echo aws_secret_access_key: "$aws_secret_access_key"
 #echo token: "$token"
 #echo date: "$date"
 #echo signature_string: "$signature_string"
 #echo signature: "$signature"
 #echo authorization: "$authorization"

 # for encrpted files  you also need these headers ...
 # -H "x-amz-server-side-encryption-customer-algorithm: AES256" 
 # -H "x-amz-server-side-encryption-customer-key: yourstring"
 # -H "x-amz-server-side-encryption-customer-key-MD5: yourstring" 
 #https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
	#!/bin/bash
	# https://gist.github.com/afunsten
	# https://gist.github.com/davidejones/d05f51df75e659111227

	#requirements
	type jq
	type openssl

	while getopts :b:f:o:r: option; do
	case "${option}" in
	b) bucket="${OPTARG}";;
	f) file="${OPTARG}";;
	o) outputfullpath="${OPTARG}";;
	r) region="${OPTARG}";;
	esac
	done

	#defaults
	: "${bucket:=some-bucket-default}"
	: "${file:=some-file-key-path-default}"
	: "${outputfullpath:=./get_s3_file_output}"
	: "${region:=}"

	#ECS role way...
	ecscreds=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
	RoleArn=$(jq -r '.RoleArn' <<< "$ecscreds")
	aws_access_key_id=$(jq -r '.AccessKeyId' <<< "$ecscreds")
	aws_secret_access_key=$(jq -r '.SecretAccessKey' <<< "$ecscreds")
	token=$(jq -r '.Token' <<< "$ecscreds")

	#EC2 role way...
	#instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
	#aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep AccessKeyId \| cut -d':' -f2 \| sed 's/[^0-9A-Z]*//g'`
	#aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep SecretAccessKey \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`
	#token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| sed -n '/Token/{p;}' \| cut -f4 -d'"'`

	date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
	resource="${bucket}/${file}"
	signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
	signature=`/bin/echo -en "${signature_string}" \| /usr/bin/openssl sha1 -hmac ${aws_secret_access_key} -binary \| base64`
	authorization="AWS ${aws_access_key_id}:${signature}"
	echo "Getting https://s3${region}.amazonaws.com/${resource} using $RoleArn"
	curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"

	md5sum ${outputfullpath}

	#Troubleshooting
	#ls -la ${outputfullpath}
	#echo curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
	#cat ${outputfullpath}
	#echo AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
	#echo instance_profile: "$instance_profile"
	#echo ecscreds: "$ecscreds"
	#echo aws_access_key_id: "$aws_access_key_id"
	#echo aws_secret_access_key: "$aws_secret_access_key"
	#echo token: "$token"
	#echo date: "$date"
	#echo signature_string: "$signature_string"
	#echo signature: "$signature"
	#echo authorization: "$authorization"

	# for encrpted files you also need these headers ...
	# -H "x-amz-server-side-encryption-customer-algorithm: AES256"
	# -H "x-amz-server-side-encryption-customer-key: yourstring"
	# -H "x-amz-server-side-encryption-customer-key-MD5: yourstring"
	#https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html