get the prev days logins using a particular role

fetch_cloudwatch_hours.sh

#!/usr/bin/env bash

# Check if username argument is passed
if [ -z "$1" ]
  then
    echo "No argument supplied. Please provide username as an argument."
    exit 1
fi

username="$1"  # The username is taken from the first command line argument

mkdir -p out

# Set log group name
log_group_name='/aws/eks/saas-green/cluster' # replace with your log group name

# Get current date in Unix timestamp (seconds)
end_time=$(date +%s)

# Convert time to milliseconds
end_time=$((end_time*1000))

# Calculate an hour's worth of time in milliseconds
one_hour=$((60*60*1000))

for hour in $(seq 0 23); do
  # Calculate start and end times for this hour
  hour_start_time=$((end_time - hour*one_hour))
  hour_end_time=$((hour_start_time + one_hour))

  # Start the query
  query_id=$(aws logs start-query --log-group-name $log_group_name --start-time $hour_start_time --end-time $hour_end_time --query-string "fields @timestamp, @message | filter user.username=\"${username}\"" --query queryId --output text)

  # Allow the query to execute (can take several seconds to minutes depending on amount of logs)
  echo "Waiting for query results..."
  sleep 15

  # Fetch the query results
  aws logs get-query-results --query-id $query_id | jq -r '.results[] | .[] | select(.field == "@message") | .value' >> out/"$username".jsonl
done

jq -r '[if .user.username|type == "array" then (.user.username | join(";")) else .user.username end, if .user.extra.arn|type == "array" then (.user.extra.arn | join(";")) else .user.extra.arn end, if .user.extra.sessionName|type == "array" then (.user.extra.sessionName | join(";")) else .user.extra.sessionName end, if .userAgent|type == "array" then (.userAgent | join(";")) else .userAgent end, if .requestReceivedTimestamp|type == "array" then (.requestReceivedTimestamp | join(";")) else .requestReceivedTimestamp end] | @csv' out/"$username".jsonl > out/"$username".csv