Skip to content

Instantly share code, notes, and snippets.

@alpozcan

alpozcan/vault-aws-login.sh

Created April 19, 2023 02:15
Show Gist options
  • Save alpozcan/4d10e27e143c0670ea7bf86c1640fa3d to your computer and use it in GitHub Desktop.
Save alpozcan/4d10e27e143c0670ea7bf86c1640fa3d to your computer and use it in GitHub Desktop.
Download ZIP
Logs into Vault using an assumed AWS Role
Raw
vault-aws-login.sh
#!/usr/bin/env bash
# Logs into Vault using an assumed AWS Role
# context: https://github.com/hashicorp/vault/issues/5767
# based on: https://gist.githubusercontent.com/Westixy/bc70ee782fe759094bf5c1c65c248f6c/raw/34ee1b3c17beddb5badaf4ad4d32afef208bfd84/vault-aws.sh
set -e
THIS=`basename "${0}"`
AWS_ROLE_ARN="$1"
VAULT_ROLE="$2"
VAULT_ADDR="$3"
echo "${THIS}: Assuming Role $AWS_ROLE_ARN ..." >&2
credentials=`aws sts assume-role --role-arn "$AWS_ROLE_ARN" \
--role-session-name vaultSession \
--duration-seconds 3600 \
--output=json`
export AWS_ACCESS_KEY_ID=`echo "${credentials}" | jq -r '.Credentials.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`echo "${credentials}" | jq -r '.Credentials.SecretAccessKey'`
export AWS_SESSION_TOKEN=`echo "${credentials}" | jq -r '.Credentials.SessionToken'`
export AWS_EXPIRATION=`echo "${credentials}" | jq -r '.Credentials.Expiration'`
echo "${THIS}: Logging into Vault (${VAULT_ADDR}) ..."
token=`vault login \
-method=aws \
-format=json \
header_value="${VAULT_ADDR}" \
role=${VAULT_ROLE} \
| jq -r '.auth.client_token'`
echo "${THIS}: Success!"
echo "${THIS}: Token: ${token}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment