Skip to content

Instantly share code, notes, and snippets.

@habib-sadullaev

habib-sadullaev/Revoke temp session token for AWS

Last active March 4, 2024 11:13
Show Gist options
  • Save habib-sadullaev/e6436c89076c5e7d034ef3d2063b1df3 to your computer and use it in GitHub Desktop.
Save habib-sadullaev/e6436c89076c5e7d034ef3d2063b1df3 to your computer and use it in GitHub Desktop.
Download ZIP
temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token
Raw
Revoke temp session token for AWS
#r "nuget:AWSSDK.SecurityToken"
open Amazon
open Amazon.Runtime.CredentialManagement
open Amazon.SecurityToken
open Amazon.SecurityToken.Model
let awsCredentials profile =
let chain = CredentialProfileStoreChain()
match chain.TryGetAWSCredentials profile with
| true, awsCredentials -> awsCredentials
| false, _ -> failwith $"invalid profile name '{profile}'"
let sessionTokenRequest serialNumber durationSeconds tokenCode =
GetSessionTokenRequest(
SerialNumber = serialNumber,
TokenCode = tokenCode,
DurationSeconds = durationSeconds
)
let sessionTokenResponse sessionTokenRequest (client: AmazonSecurityTokenServiceClient) =
try
use _ = client
client.GetSessionTokenAsync(request = sessionTokenRequest).GetAwaiter().GetResult()
with :? AmazonSecurityTokenServiceException as exn -> failwith exn.Message
let profileOptions (credentials: Credentials) =
CredentialProfileOptions(
AccessKey = credentials.AccessKeyId,
SecretKey = credentials.SecretAccessKey,
Token = credentials.SessionToken
)
let profile profileName region profileOptions =
CredentialProfile(profileName, profileOptions, Region = region)
let registerProfile profile =
let sharedProfile = SharedCredentialsFile()
sharedProfile.RegisterProfile profile
let stsClient credentials = new AmazonSecurityTokenServiceClient(credentials = credentials)
let revokeTempProfile mfaProfile serialNumber region mfaCode =
let request = sessionTokenRequest serialNumber 129_600 mfaCode
mfaProfile
|> awsCredentials
|> stsClient
|> sessionTokenResponse request
|> _.Credentials
|> profileOptions
|> profile "default" region
|> registerProfile
let mfaCode = System.Console.ReadLine()
revokeTempProfile
<mfa profile>
<mfa serial number>
<region>
mfaCode
System.Console.WriteLine "Done!!!"
Raw
using SSO v1
#r "nuget:AWSSDK.SSOOIDC"
#r "nuget:AWSSDK.SSO"
open System.Diagnostics
open Amazon
open Amazon.Runtime.CredentialManagement
open Amazon.Runtime
let ssoCredentials profile =
let chain = CredentialProfileStoreChain()
let credentials =
match chain.TryGetAWSCredentials profile with
| true, value -> value
| false, _ -> failwith $"Failed to find the {profile} profile"
let ssoCredentials = credentials :?> SSOAWSCredentials
ssoCredentials.Options.ClientName <- "Example-SSO-App";
ssoCredentials.Options.SsoVerificationCallback <- fun args ->
// Launch a browser window that prompts the SSO user to complete an SSO sign-in.
// This method is only invoked if the session doesn't already have a valid SSO token.
// NOTE: Process.Start might not support launching a browser on macOS or Linux. If not,
// use an appropriate mechanism on those systems instead.
Process.Start(ProcessStartInfo(
FileName = args.VerificationUriComplete,
UseShellExecute = true
)) |> ignore
ssoCredentials
let ssoProfileOptions (credentials: ImmutableCredentials) =
CredentialProfileOptions(
AccessKey = credentials.AccessKey,
SecretKey = credentials.SecretKey,
Token = credentials.Token
)
let profile profileName region profileOptions =
CredentialProfile(profileName, profileOptions, Region = region)
let registerProfile profile =
let sharedProfile = SharedCredentialsFile()
sharedProfile.RegisterProfile profile
let revokeTempProfileSSO ssoProfile region =
ssoProfile
|> ssoCredentials
|> _.GetCredentials()
|> ssoProfileOptions
|> profile "default" region
|> registerProfile
revokeTempProfileSSO <sso profile> <region>
System.Console.WriteLine "Done!!!"
Raw
using SSO v2
#r "nuget:AWSSDK.SSOOIDC"
#r "nuget:AWSSDK.SSO"
open System.Diagnostics
open Amazon
open Amazon.Runtime.CredentialManagement
open Amazon.Runtime
let ssoCredentials profile =
let startInfo = ProcessStartInfo(
FileName = "aws",
Arguments = $"sso login --profile {profile}",
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true)
use process' = new Process(StartInfo = startInfo)
process'.OutputDataReceived.AddHandler(fun _ e -> printfn "%s" e.Data)
process'.Start() |> ignore
process'.BeginOutputReadLine()
process'.WaitForExit()
if process'.ExitCode <> 0 then
failwithf "%s" <| process'.StandardError.ReadToEnd()
let chain = CredentialProfileStoreChain()
let _, awsCredential = chain.TryGetAWSCredentials profile
awsCredential :?> SSOAWSCredentials
let ssoProfileOptions (credentials: ImmutableCredentials) =
CredentialProfileOptions(
AccessKey = credentials.AccessKey,
SecretKey = credentials.SecretKey,
Token = credentials.Token
)
let profile profileName region profileOptions =
CredentialProfile(profileName, profileOptions, Region = region)
let registerProfile profile =
let sharedProfile = SharedCredentialsFile()
sharedProfile.RegisterProfile profile
let revokeTempProfileSSO ssoProfile region =
ssoProfile
|> ssoCredentials
|> _.GetCredentials()
|> ssoProfileOptions
|> profile "default" region
|> registerProfile
revokeTempProfileSSO <sso profile> <region>
printfn "Done!!!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment