dominics · November 14, 2019 23:06
diff --git a/ykaws-helpers.sh b/ykaws-helpers.sh
 # Helper script providing `ykaws-auth <profile>` and `ykaws-login <profile>` helpers
 #
 # Initial Yubikey setup:
 # - Install and configure Yubico Authenticator, ykman, AWS Vault
 # - Configure your AWS MFA device to be stored in your Yubikey
 # - Set a YKAWS_PROFILE environment variable to the TOTP profile name (list with `ykman oath list`) in your shell startup scripts
 # - You'll know you're ready when `ykman oath code --single "$YKAWS_PROFILE"` returns an MFA code
 #
 # Installing this helper:
 # - Put it somewhere
 # - Source it from your shell startup scripts
 #
 # Now you're ready to run `ykaws-auth` or `ykaws-login`

 if test -n "$ZSH_VERSION"; then
  if [[ "$ZSH_EVAL_CONTEXT" == 'toplevel' ]]; then
      echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2
      echo "Run 'source $0' instead!" >&2
      exit 2
  fi
 elif test -n "$BASH_VERSION"; then
  if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
      echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2
      echo "Run 'source $0' instead!" >&2
      exit 2
  fi
 fi

 YKAWS_PROFILE=${YKAWS_PROFILE:-}

 if [[ -z "$YKAWS_PROFILE" ]]; then
  echo "You should set the $YKAWS_PROFILE environment variable before sourcing this helper" >&2
  return 1
 fi

 _ykaws_user_var() {
  [[ "${TERM_PROGRAM:-}" == "iTerm.app" ]] || return
  printf "\033]1337;SetUserVar=%s=%s\007" "$1" "$(printf "%s" "$2" | base64 | tr -d '\n')"
 }

 _ykaws_unset() {
  unset AWS_SESSION_TOKEN
  unset AWS_VAULT
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_ACCESS_KEY_ID
  unset AWS_SECURITY_TOKEN
 }

 _ykaws_check_profile() {
  if [ $# -eq 0 ]
  then
    echo "Must pass aws-vault profile name" >&2
    return 1
  fi

  grep -qw "^\[profile $1\]$" <~/.aws/config
  if [ $? -gt 0 ]; then
    echo "Profile $1 not found in aws config" >&2
    return 1
  fi
 }

 _ykaws_export() {
  set -o pipefail
  aws-vault exec $1 --no-session --assume-role-ttl=12h -m `ykman oath code --single "$YKAWS_PROFILE" | awk '{print $NF}'` -- env | grep ^AWS | sed -e 's/^/export\ /'
  ret=$?
  set +o pipefail
  return $ret
 }

 ykaws-auth() {
  _ykaws_check_profile $1
  ret=$?
  if [ $ret -gt 0 ]; then
    return $ret
  fi

  _ykaws_unset
  env="$(_ykaws_export $1)"
  ret=$?

  if [ $ret -gt 0 ]; then
    echo "Could not authenticate: this may indicate the MFA code has already been used" >&2
    _ykaws_user_var ykawsvault "${AWS_VAULT:-}"
    return $ret
  fi

  eval "${env}"
  unset env
  _ykaws_user_var ykawsvault "${AWS_VAULT:-}"
 }


 ykaws-login() {
  _ykaws_check_profile $1
  ret=$?
  if [ $ret -gt 0 ]; then
    return $ret
  fi

  set -o pipefail
  aws-vault login $1 --no-session --assume-role-ttl=12h -t `ykman oath code --single "$YKAWS_PROFILE" | awk '{print $NF}'`
  ret=$?
  set +o pipefail
  return $ret
 }
	# Helper script providing `ykaws-auth <profile>` and `ykaws-login <profile>` helpers
	#
	# Initial Yubikey setup:
	# - Install and configure Yubico Authenticator, ykman, AWS Vault
	# - Configure your AWS MFA device to be stored in your Yubikey
	# - Set a YKAWS_PROFILE environment variable to the TOTP profile name (list with `ykman oath list`) in your shell startup scripts
	# - You'll know you're ready when `ykman oath code --single "$YKAWS_PROFILE"` returns an MFA code
	#
	# Installing this helper:
	# - Put it somewhere
	# - Source it from your shell startup scripts
	#
	# Now you're ready to run `ykaws-auth` or `ykaws-login`

	if test -n "$ZSH_VERSION"; then
	if [[ "$ZSH_EVAL_CONTEXT" == 'toplevel' ]]; then
	echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2
	echo "Run 'source $0' instead!" >&2
	exit 2
	fi
	elif test -n "$BASH_VERSION"; then
	if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
	echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2
	echo "Run 'source $0' instead!" >&2
	exit 2
	fi
	fi

	YKAWS_PROFILE=${YKAWS_PROFILE:-}

	if [[ -z "$YKAWS_PROFILE" ]]; then
	echo "You should set the $YKAWS_PROFILE environment variable before sourcing this helper" >&2
	return 1
	fi

	_ykaws_user_var() {
	[[ "${TERM_PROGRAM:-}" == "iTerm.app" ]] \|\| return
	printf "\033]1337;SetUserVar=%s=%s\007" "$1" "$(printf "%s" "$2" \| base64 \| tr -d '\n')"
	}

	_ykaws_unset() {
	unset AWS_SESSION_TOKEN
	unset AWS_VAULT
	unset AWS_SECRET_ACCESS_KEY
	unset AWS_ACCESS_KEY_ID
	unset AWS_SECURITY_TOKEN
	}

	_ykaws_check_profile() {
	if [ $# -eq 0 ]
	then
	echo "Must pass aws-vault profile name" >&2
	return 1
	fi

	grep -qw "^\[profile $1\]$" <~/.aws/config
	if [ $? -gt 0 ]; then
	echo "Profile $1 not found in aws config" >&2
	return 1
	fi
	}

	_ykaws_export() {
	set -o pipefail
	aws-vault exec $1 --no-session --assume-role-ttl=12h -m `ykman oath code --single "$YKAWS_PROFILE" \| awk '{print $NF}'` -- env \| grep ^AWS \| sed -e 's/^/export\ /'
	ret=$?
	set +o pipefail
	return $ret
	}

	ykaws-auth() {
	_ykaws_check_profile $1
	ret=$?
	if [ $ret -gt 0 ]; then
	return $ret
	fi

	_ykaws_unset
	env="$(_ykaws_export $1)"
	ret=$?

	if [ $ret -gt 0 ]; then
	echo "Could not authenticate: this may indicate the MFA code has already been used" >&2
	_ykaws_user_var ykawsvault "${AWS_VAULT:-}"
	return $ret
	fi

	eval "${env}"
	unset env
	_ykaws_user_var ykawsvault "${AWS_VAULT:-}"
	}


	ykaws-login() {
	_ykaws_check_profile $1
	ret=$?
	if [ $ret -gt 0 ]; then
	return $ret
	fi

	set -o pipefail
	aws-vault login $1 --no-session --assume-role-ttl=12h -t `ykman oath code --single "$YKAWS_PROFILE" \| awk '{print $NF}'`
	ret=$?
	set +o pipefail
	return $ret
	}