discorev · June 25, 2023 13:15
diff --git a/mfa-setup.sh b/mfa-setup.sh
 #!/bin/zsh


 POSITIONAL=()
 while [[ $# -gt 0 ]]
 do
 key="$1"

 case $key in
  -p|--profile)
  AWS_PROFILE="$2"
  shift # past argument
  shift # past value
  ;;
  *)    # unknown option
  POSITIONAL+=("$1") # save it in an array for later
  shift # past argument
  ;;
 esac
 done
 set -- "${POSITIONAL[@]}" # restore positional parameters

 if [ -z "$AWS_PROFILE" ]; then
  AWS_PROFILE="default"
 fi

 MFA_PROFILE=${AWS_PROFILE}-mfa
 if [ $AWS_PROFILE = "default" ]; then
  MFA_PROFILE=mfa
 fi

 # Check if there is already a virtual MFA device for this user
 MFA_DEVICE_LIST_LENGTH=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --profile ${AWS_PROFILE} | jq -r '[.[] | select(contains("mfa"))] | length')
 if [ $MFA_DEVICE_LIST_LENGTH -gt 0 ]; then
  # Ensure the mfa profile has been activated
  echo "Account already has MFA devices - checking MFA is active"
  aws sts get-caller-identity --profile ${MFA_PROFILE} &> /dev/null

  if [ $? -ne 0 ]; then
    echo "MFA not active - please mfa authenticate the AWS \`${AWS_PROFILE}\` profile."
    exit 1
  fi
 else
    MFA_PROFILE=""
 fi

 YUBI_DEVICE=`ykman list --serials`
 if [ -z "${YUBI_DEVICE}" ]; then
  echo "No YubiKey connected - please connect the YubiKey to setup"
  exit 2
 fi

 APPLICATION=oath

 label=$(aws iam create-virtual-mfa-device --profile ${AWS_PROFILE} --path /yubikey/${APPLICATION}/ --virtual-mfa-device-name ${YUBI_DEVICE} --outfile ${YUBI_DEVICE}.txt --bootstrap-method Base32StringSeed | jq -r '.VirtualMFADevice.SerialNumber')

 if [ $? -eq 0 ]; then
  ykman --device $YUBI_DEVICE ${APPLICATION} accounts add -t $label `cat ${YUBI_DEVICE}.txt`

  rm ${YUBI_DEVICE}.txt

  CODE1=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label)
  CODE1=${CODE1:(-6)}
  echo $CODE1
  sleep 30
  CODE2=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label)
  CODE2=${CODE2:(-6)}
  echo $CODE2

  # If the account already has MFA enabled then this will need to use the current MFA profile (which must be authenticated)
  if [ -z "${MFA_PROFILE}" ]; then 
    aws iam enable-mfa-device --user-name $(aws iam get-user | jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2}
  else
    aws iam enable-mfa-device --user-name $(aws iam get-user | jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2} --profile ${MFA_PROFILE}
  fi
 fi
	#!/bin/zsh


	POSITIONAL=()
	while [[ $# -gt 0 ]]
	do
	key="$1"

	case $key in
	-p\|--profile)
	AWS_PROFILE="$2"
	shift # past argument
	shift # past value
	;;
	*) # unknown option
	POSITIONAL+=("$1") # save it in an array for later
	shift # past argument
	;;
	esac
	done
	set -- "${POSITIONAL[@]}" # restore positional parameters

	if [ -z "$AWS_PROFILE" ]; then
	AWS_PROFILE="default"
	fi

	MFA_PROFILE=${AWS_PROFILE}-mfa
	if [ $AWS_PROFILE = "default" ]; then
	MFA_PROFILE=mfa
	fi

	# Check if there is already a virtual MFA device for this user
	MFA_DEVICE_LIST_LENGTH=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --profile ${AWS_PROFILE} \| jq -r '[.[] \| select(contains("mfa"))] \| length')
	if [ $MFA_DEVICE_LIST_LENGTH -gt 0 ]; then
	# Ensure the mfa profile has been activated
	echo "Account already has MFA devices - checking MFA is active"
	aws sts get-caller-identity --profile ${MFA_PROFILE} &> /dev/null

	if [ $? -ne 0 ]; then
	echo "MFA not active - please mfa authenticate the AWS \`${AWS_PROFILE}\` profile."
	exit 1
	fi
	else
	MFA_PROFILE=""
	fi

	YUBI_DEVICE=`ykman list --serials`
	if [ -z "${YUBI_DEVICE}" ]; then
	echo "No YubiKey connected - please connect the YubiKey to setup"
	exit 2
	fi

	APPLICATION=oath

	label=$(aws iam create-virtual-mfa-device --profile ${AWS_PROFILE} --path /yubikey/${APPLICATION}/ --virtual-mfa-device-name ${YUBI_DEVICE} --outfile ${YUBI_DEVICE}.txt --bootstrap-method Base32StringSeed \| jq -r '.VirtualMFADevice.SerialNumber')

	if [ $? -eq 0 ]; then
	ykman --device $YUBI_DEVICE ${APPLICATION} accounts add -t $label `cat ${YUBI_DEVICE}.txt`

	rm ${YUBI_DEVICE}.txt

	CODE1=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label)
	CODE1=${CODE1:(-6)}
	echo $CODE1
	sleep 30
	CODE2=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label)
	CODE2=${CODE2:(-6)}
	echo $CODE2

	# If the account already has MFA enabled then this will need to use the current MFA profile (which must be authenticated)
	if [ -z "${MFA_PROFILE}" ]; then
	aws iam enable-mfa-device --user-name $(aws iam get-user \| jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2}
	else
	aws iam enable-mfa-device --user-name $(aws iam get-user \| jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2} --profile ${MFA_PROFILE}
	fi
	fi