Last active
November 3, 2021 15:06
-
-
Save joariasl/d2a4a05ec05b68218ea3ed9d9eeb27bb to your computer and use it in GitHub Desktop.
Script to issue a STS token using an AWS profile credential that set another AWS profile credential with the result
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| script_name=`basename "$0"` | |
| text_bold=$(tput bold) | |
| text_normal=$(tput sgr0) | |
| showHelp() { | |
| echo -e "${script_name} | |
| ${text_bold}DESCRIPTION${text_normal} | |
| The aws configure set command can be used to set a single configuration | |
| Script to issue a STS token using an AWS profile credential that set | |
| another AWS profile credential with the result configuration values | |
| from the config file. | |
| See '${script_name} help' for descriptions of global parameters. | |
| ${text_bold}SYNOPSIS${text_normal} | |
| ${script_name} | |
| [--profile-mfa <value>] | |
| [--profile-set <value>] | |
| [--duration-seconds <value>] | |
| [--serial-number <value>] | |
| [--token-code <mfa-code>] | |
| ${text_bold}EXAMPLES${text_normal} | |
| Issue a STS token using example.mfa profile to set the example profile | |
| $ ${script_name} --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user | |
| $ ${script_name} --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user --token-code 000000 | |
| ${script_name}" | less | |
| } | |
| if (( ${#@} == 0 )); then | |
| showHelp | |
| exit 1 | |
| fi | |
| while [ "$1" != "" ]; do | |
| case $1 in | |
| --profile-mfa ) | |
| shift | |
| profile_mfa=$1 | |
| ;; | |
| --profile-set ) | |
| shift | |
| profile_set=$1 | |
| ;; | |
| --duration-seconds ) | |
| shift | |
| duration_seconds=$1 | |
| ;; | |
| --serial-number ) | |
| shift | |
| serial_number=$1 | |
| ;; | |
| --token-code ) | |
| shift | |
| token_code=$1 | |
| ;; | |
| help | --help | -h ) | |
| showHelp | |
| exit 0 | |
| ;; | |
| * ) | |
| showHelp | |
| exit 1 | |
| ;; | |
| esac | |
| shift | |
| done | |
| if [ -z "${profile_set}" ]; then | |
| profile_set="default" | |
| fi | |
| if [ -z "${token_code}" ]; then | |
| echo -n "Enter token code: " | |
| read -r token_code | |
| if [ -z "${token_code}" ]; then | |
| echo "--token-code is required" | |
| exit 1 | |
| fi | |
| fi | |
| command="aws sts get-session-token --output text --query '*.[AccessKeyId,SecretAccessKey,SessionToken]'" | |
| if [ "${profile_mfa}" ]; then | |
| command="${command} --profile ${profile_mfa}" | |
| fi | |
| if [ "${duration_seconds}" ]; then | |
| command="${command} --duration-seconds ${duration_seconds}" | |
| fi | |
| if [ "${serial_number}" ]; then | |
| command="${command} --serial-number ${serial_number}" | |
| fi | |
| if [ "${token_code}" ]; then | |
| command="${command} --token-code ${token_code}" | |
| fi | |
| result=$(eval ${command}) || exit 1; | |
| access_key_id=$(printf '%s' "${result}" | awk '{print $1;}') | |
| secret_access_key=$(printf '%s' "${result}" | awk '{print $2;}') | |
| session_token=$(printf '%s' "${result}" | sed 's/[[:blank:]]$//g' | awk '{print $3;}') | |
| aws configure set profile.${profile_set}.aws_access_key_id $access_key_id | |
| aws configure set profile.${profile_set}.aws_secret_access_key $secret_access_key | |
| aws configure set profile.${profile_set}.aws_session_token $session_token | |
| exit 0 |
Usage examples:
Issue a STS token using example.mfa profile to set the example profile
$ aws-sts.sh --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user
# Passing code directly
$ aws-sts.sh --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user --toke
n-code 000000
To use with Yubikey Manager CLI
aws-sts.sh --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user --toke
n-code $(ykman oath accounts code -r -s "Amazon Web Services:iam-name@account" | tail -c 7)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Setup in macOS
curl -OJ https://gist.githubusercontent.com/joariasl/d2a4a05ec05b68218ea3ed9d9eeb27bb/raw/209c0c2b0c52bfd631ae1c1210f3bc657246cfa2/aws-sts.sh chmod +x aws-sts.sh sudo mv ~/aws-sts.sh /usr/local/bin/