Created
October 7, 2024 01:39
-
-
Save lioneltchami/bac4551c6677856ed77d742e425da95d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| # Configuration | |
| DEFAULT_USER_SUFFIX="-cli" | |
| DEFAULT_GROUP="Admins" | |
| DEFAULT_POLICY="AdministratorAccess" | |
| AWS_CREDENTIALS_FILE="$HOME/.aws/credentials" | |
| # Functions | |
| log() { | |
| echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" >&2 | |
| } | |
| error() { | |
| log "ERROR: $*" | |
| exit 1 | |
| } | |
| create_user() { | |
| local user=$1 | |
| if ! aws iam get-user --user-name "$user" &>/dev/null; then | |
| log "Creating user: $user" | |
| aws iam create-user --user-name "$user" || error "Failed to create user" | |
| else | |
| log "User already exists: $user" | |
| fi | |
| } | |
| create_access_key() { | |
| local user=$1 | |
| local keyfile=$2 | |
| if [[ -f "$keyfile" ]]; then | |
| log "Access key file already exists: $keyfile" | |
| return | |
| fi | |
| log "Creating new access key for user: $user" | |
| aws iam create-access-key --user-name "$user" > "$keyfile" || error "Failed to create access key" | |
| } | |
| add_user_to_group() { | |
| local user=$1 | |
| local group=$2 | |
| if aws iam get-group --group-name "$group" &>/dev/null; then | |
| log "Adding user '$user' to group '$group'" | |
| aws iam add-user-to-group --user-name "$user" --group-name "$group" || error "Failed to add user to group" | |
| else | |
| error "Group does not exist: $group" | |
| fi | |
| } | |
| attach_user_policy() { | |
| local user=$1 | |
| local policy=$2 | |
| local policy_arn=$(aws iam list-policies --query "Policies[?PolicyName=='$policy'].Arn" --output text) | |
| if [[ -n "$policy_arn" ]]; then | |
| log "Attaching policy '$policy' to user '$user'" | |
| aws iam attach-user-policy --user-name "$user" --policy-arn "$policy_arn" || error "Failed to attach policy" | |
| else | |
| error "Policy does not exist: $policy" | |
| fi | |
| } | |
| output_credentials() { | |
| local keyfile=$1 | |
| local access_key_id=$(jq -r .AccessKey.AccessKeyId "$keyfile") | |
| local secret_access_key=$(jq -r .AccessKey.SecretAccessKey "$keyfile") | |
| echo "Export these environment variables:" | |
| echo "export AWS_ACCESS_KEY_ID=$access_key_id" | |
| echo "export AWS_SECRET_ACCESS_KEY=$secret_access_key" | |
| echo -e "\nOr add this to your $AWS_CREDENTIALS_FILE:" | |
| echo "[${user}]" | |
| echo "aws_access_key_id = $access_key_id" | |
| echo "aws_secret_access_key = $secret_access_key" | |
| } | |
| # Main script | |
| user="${1:-$USER$DEFAULT_USER_SUFFIX}" | |
| groups_or_policies="${2:-}" | |
| keyfile="${3:-$HOME/.aws/keys/${user}_$(aws sts get-caller-identity --query Account --output text)_accessKeys.json}" | |
| create_user "$user" | |
| create_access_key "$user" "$keyfile" | |
| if [[ -n "$groups_or_policies" ]]; then | |
| IFS=',' read -ra items <<< "$groups_or_policies" | |
| for item in "${items[@]}"; do | |
| if aws iam get-group --group-name "$item" &>/dev/null; then | |
| add_user_to_group "$user" "$item" | |
| else | |
| attach_user_policy "$user" "$item" | |
| fi | |
| done | |
| else | |
| if aws iam get-group --group-name "$DEFAULT_GROUP" &>/dev/null; then | |
| add_user_to_group "$user" "$DEFAULT_GROUP" | |
| else | |
| attach_user_policy "$user" "$DEFAULT_POLICY" | |
| fi | |
| fi | |
| output_credentials "$keyfile" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment