bishopb · September 28, 2022 02:07 · bishopb · Oct 5, 2022
diff --git a/aws-login-with-mfa b/aws-login-with-mfa
 #!/bin/bash

 set -euo pipefail

 trap 'echo "Caught SIGINT. Exiting..." >&2; exit 1' INT

 tmpfile=$(mktemp)
 chmod 600 "${tmpfile}"
 trap 'rm -f "${tmpfile}"' EXIT

 main() {
  local serial="${1:?First argument must be the MFA serial number, available on the AWS web console}"
  local duration="${2:-10800}"
  local token

  token=$(read_token)

  get_tmp_creds "${serial}" "${token}" "${duration}" > "${tmpfile}"

  local ak sk st ex
  ak=$(jq -r .Credentials.AccessKeyId < "${tmpfile}")
  sk=$(jq -r .Credentials.SecretAccessKey < "${tmpfile}")
  st=$(jq -r .Credentials.SessionToken < "${tmpfile}")
  ex=$(jq -r .Credentials.Expiration < "${tmpfile}")
  update_creds_file "${ak}" "${sk}" "${st}"

  verify_identity

  echo "Authenticated. Credentials stored in the 'mfa' profile and expire at ${ex}."
 }

 read_token() {
  local max=3
  for i in $(seq 1 "${max}"); do
    read -r -n 6 -p "Token (attempt #${i} of ${max}): " token
    echo >&2
    if [[ "${token}" =~ ^[0-9][0-9][0-9][0-9][0-9][0-9]$ ]]; then
      echo "${token}"
      return 0
    else
      echo 'Token input must be exactly six numbers' >&2
    fi
  done
  return 1
 }

 get_tmp_creds() {
  # https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
  aws sts get-session-token \
    --serial-number "${1}" \
    --token-code "${2}" \
    --duration-seconds "${3}"
 }

 update_creds_file() {
  local ak sk st

  ak=$1
  sk=$2
  st=$3

  # https://stackoverflow.com/a/16987794/2908724
  sed -i '' \
    -e '/^\[mfa\]$/,/^\[/ s@^aws_access_key_id *=.*@aws_access_key_id='"${ak}"'@' \
    -e '/^\[mfa\]$/,/^\[/ s@^aws_secret_access_key *=.*@aws_secret_access_key='"${sk}"'@' \
    -e '/^\[mfa\]$/,/^\[/ s@^aws_session_token *=.*@aws_session_token='"${st}"'@' \
    "${HOME}"/.aws/credentials
 }

 verify_identity() {
  aws sts get-caller-identity --profile mfa >/dev/null
 }

 main "${@:-}"
	#!/bin/bash

	set -euo pipefail

	trap 'echo "Caught SIGINT. Exiting..." >&2; exit 1' INT

	tmpfile=$(mktemp)
	chmod 600 "${tmpfile}"
	trap 'rm -f "${tmpfile}"' EXIT

	main() {
	local serial="${1:?First argument must be the MFA serial number, available on the AWS web console}"
	local duration="${2:-10800}"
	local token

	token=$(read_token)

	get_tmp_creds "${serial}" "${token}" "${duration}" > "${tmpfile}"

	local ak sk st ex
	ak=$(jq -r .Credentials.AccessKeyId < "${tmpfile}")
	sk=$(jq -r .Credentials.SecretAccessKey < "${tmpfile}")
	st=$(jq -r .Credentials.SessionToken < "${tmpfile}")
	ex=$(jq -r .Credentials.Expiration < "${tmpfile}")
	update_creds_file "${ak}" "${sk}" "${st}"

	verify_identity

	echo "Authenticated. Credentials stored in the 'mfa' profile and expire at ${ex}."
	}

	read_token() {
	local max=3
	for i in $(seq 1 "${max}"); do
	read -r -n 6 -p "Token (attempt #${i} of ${max}): " token
	echo >&2
	if [[ "${token}" =~ ^[0-9][0-9][0-9][0-9][0-9][0-9]$ ]]; then
	echo "${token}"
	return 0
	else
	echo 'Token input must be exactly six numbers' >&2
	fi
	done
	return 1
	}

	get_tmp_creds() {
	# https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
	aws sts get-session-token \
	--serial-number "${1}" \
	--token-code "${2}" \
	--duration-seconds "${3}"
	}

	update_creds_file() {
	local ak sk st

	ak=$1
	sk=$2
	st=$3

	# https://stackoverflow.com/a/16987794/2908724
	sed -i '' \
	-e '/^\[mfa\]$/,/^\[/ s@^aws_access_key_id =.@aws_access_key_id='"${ak}"'@' \
	-e '/^\[mfa\]$/,/^\[/ s@^aws_secret_access_key =.@aws_secret_access_key='"${sk}"'@' \
	-e '/^\[mfa\]$/,/^\[/ s@^aws_session_token =.@aws_session_token='"${st}"'@' \
	"${HOME}"/.aws/credentials
	}

	verify_identity() {
	aws sts get-caller-identity --profile mfa >/dev/null
	}

	main "${@:-}"