-
-
Save hovissimo/c9119820a5a4f5a6081d93f87f1688b4 to your computer and use it in GitHub Desktop.
Fetch AWS STS keys and set environment variables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # Fetch 24-hour AWS STS session token and set appropriate environment variables. | |
| # See http://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html . | |
| # You must have jq installed and in your PATH https://stedolan.github.io/jq/ . | |
| # Add this function to your .bashrc or save it to a file and source that file from .bashrc . | |
| # Online: https://gist.github.com/hovissimo/c9119820a5a4f5a6081d93f87f1688b4 | |
| # Adapted from https://gist.github.com/ddgenome/f13f15dd01fb88538dd6fac8c7e73f8c | |
| # | |
| # usage: aws-creds AWS_PROFILE MFA_TOKEN [OTHER_AWS_STS_GET-SESSION-TOKEN_OPTIONS...] | |
| # example: aws-creds staging 123456 | |
| function aws-creds () { | |
| local pkg=aws-creds | |
| if [[ ! $1 ]]; then | |
| echo "$pkg: missing required argument: AWS_PROFILE" 1>&2 | |
| return 99 | |
| else | |
| local AWS_PROFILE | |
| AWS_PROFILE="$1" | |
| fi | |
| if [[ ! $2 ]]; then | |
| echo "$pkg: missing required argument: MFA_TOKEN" 1>&2 | |
| return 99 | |
| else | |
| local MFA_TOKEN | |
| MFA_TOKEN="$2" | |
| fi | |
| # De-export these names | |
| typeset +x AWS_ACCESS_KEY_ID | |
| typeset +x AWS_SECRET_ACCESS_KEY | |
| typeset +x AWS_SESSION_TOKEN | |
| local AWS_MFA_ARN | |
| AWS_MFA_ARN=$(aws --profile "$AWS_PROFILE" configure get aws_mfa_arn) | |
| if [[ ! $AWS_MFA_ARN ]]; then | |
| echo "$pkg: failed to get aws_mfa_arn from profile $AWS_PROFILE" 1>&2 | |
| return 1 | |
| fi | |
| local rv creds_json | |
| creds_json=$(aws --profile "$AWS_PROFILE" --output json sts get-session-token --duration-seconds 86400 --serial-number "$AWS_MFA_ARN" --token-code "$MFA_TOKEN" "${@:3}") | |
| rv="$?" | |
| if [[ $rv -ne 0 || ! $creds_json ]]; then | |
| echo "$pkg: failed to get credentials: $creds_json" 1>&2 | |
| return "$rv" | |
| fi | |
| AWS_ACCESS_KEY_ID=$(echo "$creds_json" | jq --exit-status --raw-output .Credentials.AccessKeyId) | |
| rv="$?" | |
| if [[ $rv -ne 0 || ! $AWS_ACCESS_KEY_ID ]]; then | |
| echo "$pkg: failed to parse output for AWS_ACCESS_KEY_ID: $creds_json" 1>&2 | |
| return "$rv" | |
| fi | |
| AWS_SECRET_ACCESS_KEY=$(echo "$creds_json" | jq --exit-status --raw-output .Credentials.SecretAccessKey) | |
| rv="$?" | |
| if [[ $rv -ne 0 || ! $AWS_SECRET_ACCESS_KEY ]]; then | |
| echo "$pkg: failed to parse output for AWS_SECRET_ACCESS_KEY: $creds_json" 1>&2 | |
| return "$rv" | |
| fi | |
| AWS_SESSION_TOKEN=$(echo "$creds_json" | jq --exit-status --raw-output .Credentials.SessionToken) | |
| rv="$?" | |
| if [[ $rv -ne 0 || ! $AWS_SESSION_TOKEN ]]; then | |
| echo "$pkg: failed to parse output for AWS_SESSION_TOKEN: $creds_json" 1>&2 | |
| return "$rv" | |
| fi | |
| export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN | |
| echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID; AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY; AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment