eeichinger · May 1, 2017 11:32
diff --git a/.profile_aws.sh b/.profile_aws.sh
 # it's inconvenient to pollute knownhosts with temporary AWS EC2 instances - use aws_ssh instead of ssh to ssh into EC2 instances
 alias aws_ssh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

 #
 # This function allows to easily switch between AWS CLI profiles. If necessary, it will assume the given role
 #
 # usage: 
 #       set-aws-profile rolename[@accountname]
 #
 #   "rolename": the profilename as defined in your ~/.aws/config
 #   "accountname": if given, will be used to assume the role "arn:aws:iam::${account_name}:role/${role_name}" for 60mins
 #
 # Notes:
 # this function expects that you defined your aws profiles in ~/.aws/credentials and ~/.aws/config according to the above name scheme <rolename>@<accountname>
 # e.g.
 # in ~/.aws/credentials:
 # 
 # [my_credentials]
 # aws_access_key_id = XXXXXXX
 # aws_secret_access_key = xyzxyzxyzxyzxyzxyz
 #
 # and in ~/.aws/config
 # 
 # [profile myrole@myaccount]
 # role_arn = arn:aws:iam::myaccount:role/myrole
 # source_profile = my_credentials
 # mfa_serial = arn:aws:iam::myaccount:mfa/my_username
 # output = json
 # region = eu-central-1
 #
 # this allows you to call
 #
 #   $set-aws-profile myrole@myaccount
 #
 # to a) switch to your aws config profile myrole@myaccount and b) assume the role myrole in myaccount
 #
 function set-aws-profile() {
  unset AWS_ACCESS_KEY_ID
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_SESSION_TOKEN
  unset AWS_DEFAULT_PROFILE
  unset AWS_PROFILE

  SESSION_NAME="fs-cli"

  # Take a note here, I keep forgetting this:
  # ${MYVAR#pattern}       # delete shortest match of pattern from the beginning
  # ${MYVAR##pattern}      # delete longest match of pattern from the beginning
  # ${MYVAR%pattern}       # delete shortest match of pattern from the end
  # ${MYVAR%%pattern}      # delete longest match of pattern from the end

  profile="$1"
  role="${profile%%@*}" # drop anything after first @
  account="${profile#${role}@}"  # drop anything before and including first @
  
  export AWS_DEFAULT_PROFILE="${profile}"
  export AWS_PROFILE="${profile}" # terraform seems to like this
  
  echo "Profile: '$profile'"
  echo "Role: '$role'"
  echo "Account: '$account'"
  
  if [ ! -z "${account// }" ]
  then
    aws sts assume-role --duration-seconds 3600 --role-session-name ${SESSION_NAME} --role-arn "arn:aws:iam::${account}:role/${role}" > assume-role-output.txt
  fi

  if [ -s "assume-role-output.txt" ]
  then
     export AWS_ACCESS_KEY_ID=`cat assume-role-output.txt | jq -c '.Credentials.AccessKeyId' | tr -d '"' | tr -d ' '`
     export AWS_SECRET_ACCESS_KEY=`cat assume-role-output.txt | jq -c '.Credentials.SecretAccessKey' | tr -d '"' | tr -d ' '`
     export AWS_SESSION_TOKEN=`cat assume-role-output.txt | jq -c '.Credentials.SessionToken' | tr -d '"' | tr -d ' '`

     rm assume-role-output.txt 2>/dev/null
     
     echo "assumed role 'arn:aws:iam::${account}:role/${role}' and switched to profile '$profile'" 
  else
    echo "switched to aws profile '$profile'" 
  fi
 }
	# it's inconvenient to pollute knownhosts with temporary AWS EC2 instances - use aws_ssh instead of ssh to ssh into EC2 instances
	alias aws_ssh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

	#
	# This function allows to easily switch between AWS CLI profiles. If necessary, it will assume the given role
	#
	# usage:
	# set-aws-profile rolename[@accountname]
	#
	# "rolename": the profilename as defined in your ~/.aws/config
	# "accountname": if given, will be used to assume the role "arn:aws:iam::${account_name}:role/${role_name}" for 60mins
	#
	# Notes:
	# this function expects that you defined your aws profiles in ~/.aws/credentials and ~/.aws/config according to the above name scheme <rolename>@<accountname>
	# e.g.
	# in ~/.aws/credentials:
	#
	# [my_credentials]
	# aws_access_key_id = XXXXXXX
	# aws_secret_access_key = xyzxyzxyzxyzxyzxyz
	#
	# and in ~/.aws/config
	#
	# [profile myrole@myaccount]
	# role_arn = arn:aws:iam::myaccount:role/myrole
	# source_profile = my_credentials
	# mfa_serial = arn:aws:iam::myaccount:mfa/my_username
	# output = json
	# region = eu-central-1
	#
	# this allows you to call
	#
	# $set-aws-profile myrole@myaccount
	#
	# to a) switch to your aws config profile myrole@myaccount and b) assume the role myrole in myaccount
	#
	function set-aws-profile() {
	unset AWS_ACCESS_KEY_ID
	unset AWS_SECRET_ACCESS_KEY
	unset AWS_SESSION_TOKEN
	unset AWS_DEFAULT_PROFILE
	unset AWS_PROFILE

	SESSION_NAME="fs-cli"

	# Take a note here, I keep forgetting this:
	# ${MYVAR#pattern} # delete shortest match of pattern from the beginning
	# ${MYVAR##pattern} # delete longest match of pattern from the beginning
	# ${MYVAR%pattern} # delete shortest match of pattern from the end
	# ${MYVAR%%pattern} # delete longest match of pattern from the end

	profile="$1"
	role="${profile%%@*}" # drop anything after first @
	account="${profile#${role}@}" # drop anything before and including first @

	export AWS_DEFAULT_PROFILE="${profile}"
	export AWS_PROFILE="${profile}" # terraform seems to like this

	echo "Profile: '$profile'"
	echo "Role: '$role'"
	echo "Account: '$account'"

	if [ ! -z "${account// }" ]
	then
	aws sts assume-role --duration-seconds 3600 --role-session-name ${SESSION_NAME} --role-arn "arn:aws:iam::${account}:role/${role}" > assume-role-output.txt
	fi

	if [ -s "assume-role-output.txt" ]
	then
	export AWS_ACCESS_KEY_ID=`cat assume-role-output.txt \| jq -c '.Credentials.AccessKeyId' \| tr -d '"' \| tr -d ' '`
	export AWS_SECRET_ACCESS_KEY=`cat assume-role-output.txt \| jq -c '.Credentials.SecretAccessKey' \| tr -d '"' \| tr -d ' '`
	export AWS_SESSION_TOKEN=`cat assume-role-output.txt \| jq -c '.Credentials.SessionToken' \| tr -d '"' \| tr -d ' '`

	rm assume-role-output.txt 2>/dev/null

	echo "assumed role 'arn:aws:iam::${account}:role/${role}' and switched to profile '$profile'"
	else
	echo "switched to aws profile '$profile'"
	fi
	}