shinitiandrei · July 19, 2022 03:16
diff --git a/login_aws.sh b/login_aws.sh
 #!/usr/bin/env bash

 # This uses MFA devices to get temporary (eg 12 hour) credentials.  Requires
 # a TTY for user input.
 #
 #

 if [ ! -t 0 ]
 then
  echo Must be on a tty >&2
  exit 255
 fi

 identity=$(aws sts get-caller-identity --profile mattr)
 username=$(echo -- "$identity" | sed -n 's!.*"arn:aws:iam::.*:user/\(.*\)".*!\1!p')
 if [ -z "$username" ]
 then
  echo "Can not identify who you are.  Looking for a line like
    arn:aws:iam::.....:user/FOO_BAR
 but did not find one in the output of
  aws sts get-caller-identity
 $identity" >&2
  exit 255
 fi

 echo You are: $username >&2

 mfa=$(aws iam list-mfa-devices --user-name "$username" --profile mattr)
 device=$(echo -- "$mfa" | sed -n 's!.*"SerialNumber": "\(.*\)".*!\1!p')
 if [ -z "$device" ]
 then
  echo "Can not find any MFA device for you.  Looking for a SerialNumber
 but did not find one in the output of
  aws iam list-mfa-devices --username \"$username\"
 $mfa" >&2
  exit 255
 fi

 echo Your MFA device is: $device >&2

 echo -n "Enter your MATTR GLOBAL MFA code now: " >&2
 read code

 tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code --profile mattr)

 secret=$(echo -- "$tokens" | sed -n 's!.*"SecretAccessKey": "\(.*\)".*!\1!p')
 session=$(echo -- "$tokens" | sed -n 's!.*"SessionToken": "\(.*\)".*!\1!p')
 access=$(echo -- "$tokens" | sed -n 's!.*"AccessKeyId": "\(.*\)".*!\1!p')
 expire=$(echo -- "$tokens" | sed -n 's!.*"Expiration": "\(.*\)".*!\1!p')

 if [ -z "$secret" -o -z "$session" -o -z "$access" ]
 then
  echo "Unable to get temporary credentials.  Could not find secret/access/session entries
 $tokens" >&2
  exit 255
 fi

 echo 'Removing old mfa setting'
 if [ $(uname -s) == "Linux" ]; then
  sed -i '/mfa/,/^$/d' ~/.aws/credentials
 else
  sed -i '' '/mfa/,/^$/d' ~/.aws/credentials
 fi

 echo 'Removing old SSO platform setting'
 if [ $(uname -s) == "Linux" ]; then
  sed -i '/profile/,/^$/d' ~/.aws/credentials
 else
  sed -i '' '/profile/,/^$/d' ~/.aws/credentials
 fi

 echo 'Push new mfa token, key, id to credentials'
 echo AWS_SESSION_TOKEN=$session
 echo AWS_SECRET_ACCESS_KEY=$secret
 echo AWS_ACCESS_KEY_ID=$access

 echo [mattr-mfa] >> ~/.aws/credentials
 echo aws_session_token=$session >> ~/.aws/credentials
 echo aws_secret_access_key=$secret >> ~/.aws/credentials
 echo aws_access_key_id=$access >> ~/.aws/credentials

 echo Keys valid until $expire >&2

 SERVICES_SSO_PROFILES_ARRAY=( $(grep  -o '^[[]profile .*-services' ~/.aws/config | cut -d" " -f2) )
 KMS_SSO_PROFILES_ARRAY=( $(grep  -o '^[[]profile .*-kms' ~/.aws/config | cut -d" " -f2) )

 [[ -z "$SERVICES_SSO_PROFILES_ARRAY" && -z "$KMS_SSO_PROFILES_ARRAY" ]] && echo "No SSO services profiles in ~/.aws/config" && exit 0

 echo "Login to your FIRST SSO account using web browser"
 sleep 2
 aws sso login --profile "${SERVICES_SSO_PROFILES_ARRAY[0]}"
 echo "Credentials cached"
 SSO_ACCESS_TOKEN=$(grep 'mattrglobal.awsapps.com/start' ~/.aws/sso/cache/*.json | cut -d":" -f2- | jq .accessToken | tr -d '"')

 for SSO_PROFILE in "${SERVICES_SSO_PROFILES_ARRAY[@]}"
 do
  SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_account_id' | cut -d" " -f3)
  SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_role_name' | cut -d" " -f3)

  SSO_ROLE_CREDS=$(aws sso get-role-credentials \
    --region ap-southeast-2 \
    --role-name "$SSO_ROLE_NAME" \
    --account-id "$SSO_ACCOUNT_ID" \
    --access-token "$SSO_ACCESS_TOKEN" | jq .)

  SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.sessionToken)
  SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.accessKeyId)
  SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.secretAccessKey)

  echo "" >> ~/.aws/credentials
  echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
  echo "aws_session_token=$SSO_SESSION_TOKEN" | tr -d '"' >> ~/.aws/credentials
  echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" | tr -d '"' >> ~/.aws/credentials
  echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" | tr -d '"' >> ~/.aws/credentials
 done;

 for SSO_PROFILE in "${KMS_SSO_PROFILES_ARRAY[@]}"
 do
  SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_account_id' | cut -d" " -f3)
  SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_role_name' | cut -d" " -f3)

  SSO_ROLE_CREDS=$(aws sso get-role-credentials \
    --region ap-southeast-2 \
    --role-name "$SSO_ROLE_NAME" \
    --account-id "$SSO_ACCOUNT_ID" \
    --access-token "$SSO_ACCESS_TOKEN" | jq .)

  SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.sessionToken)
  SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.accessKeyId)
  SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.secretAccessKey)

  echo "" >> ~/.aws/credentials
  echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
  echo "aws_session_token=$SSO_SESSION_TOKEN" | tr -d '"' >> ~/.aws/credentials
  echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" | tr -d '"' >> ~/.aws/credentials
  echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" | tr -d '"' >> ~/.aws/credentials
 done;
	#!/usr/bin/env bash

	# This uses MFA devices to get temporary (eg 12 hour) credentials. Requires
	# a TTY for user input.
	#
	#

	if [ ! -t 0 ]
	then
	echo Must be on a tty >&2
	exit 255
	fi

	identity=$(aws sts get-caller-identity --profile mattr)
	username=$(echo -- "$identity" \| sed -n 's!."arn:aws:iam::.:user/\(.\)".!\1!p')
	if [ -z "$username" ]
	then
	echo "Can not identify who you are. Looking for a line like
	arn:aws:iam::.....:user/FOO_BAR
	but did not find one in the output of
	aws sts get-caller-identity
	$identity" >&2
	exit 255
	fi

	echo You are: $username >&2

	mfa=$(aws iam list-mfa-devices --user-name "$username" --profile mattr)
	device=$(echo -- "$mfa" \| sed -n 's!."SerialNumber": "\(.\)".*!\1!p')
	if [ -z "$device" ]
	then
	echo "Can not find any MFA device for you. Looking for a SerialNumber
	but did not find one in the output of
	aws iam list-mfa-devices --username \"$username\"
	$mfa" >&2
	exit 255
	fi

	echo Your MFA device is: $device >&2

	echo -n "Enter your MATTR GLOBAL MFA code now: " >&2
	read code

	tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code --profile mattr)

	secret=$(echo -- "$tokens" \| sed -n 's!."SecretAccessKey": "\(.\)".*!\1!p')
	session=$(echo -- "$tokens" \| sed -n 's!."SessionToken": "\(.\)".*!\1!p')
	access=$(echo -- "$tokens" \| sed -n 's!."AccessKeyId": "\(.\)".*!\1!p')
	expire=$(echo -- "$tokens" \| sed -n 's!."Expiration": "\(.\)".*!\1!p')

	if [ -z "$secret" -o -z "$session" -o -z "$access" ]
	then
	echo "Unable to get temporary credentials. Could not find secret/access/session entries
	$tokens" >&2
	exit 255
	fi

	echo 'Removing old mfa setting'
	if [ $(uname -s) == "Linux" ]; then
	sed -i '/mfa/,/^$/d' ~/.aws/credentials
	else
	sed -i '' '/mfa/,/^$/d' ~/.aws/credentials
	fi

	echo 'Removing old SSO platform setting'
	if [ $(uname -s) == "Linux" ]; then
	sed -i '/profile/,/^$/d' ~/.aws/credentials
	else
	sed -i '' '/profile/,/^$/d' ~/.aws/credentials
	fi

	echo 'Push new mfa token, key, id to credentials'
	echo AWS_SESSION_TOKEN=$session
	echo AWS_SECRET_ACCESS_KEY=$secret
	echo AWS_ACCESS_KEY_ID=$access

	echo [mattr-mfa] >> ~/.aws/credentials
	echo aws_session_token=$session >> ~/.aws/credentials
	echo aws_secret_access_key=$secret >> ~/.aws/credentials
	echo aws_access_key_id=$access >> ~/.aws/credentials

	echo Keys valid until $expire >&2

	SERVICES_SSO_PROFILES_ARRAY=( $(grep -o '^[[]profile .*-services' ~/.aws/config \| cut -d" " -f2) )
	KMS_SSO_PROFILES_ARRAY=( $(grep -o '^[[]profile .*-kms' ~/.aws/config \| cut -d" " -f2) )

	[[ -z "$SERVICES_SSO_PROFILES_ARRAY" && -z "$KMS_SSO_PROFILES_ARRAY" ]] && echo "No SSO services profiles in ~/.aws/config" && exit 0

	echo "Login to your FIRST SSO account using web browser"
	sleep 2
	aws sso login --profile "${SERVICES_SSO_PROFILES_ARRAY[0]}"
	echo "Credentials cached"
	SSO_ACCESS_TOKEN=$(grep 'mattrglobal.awsapps.com/start' ~/.aws/sso/cache/*.json \| cut -d":" -f2- \| jq .accessToken \| tr -d '"')

	for SSO_PROFILE in "${SERVICES_SSO_PROFILES_ARRAY[@]}"
	do
	SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_account_id' \| cut -d" " -f3)
	SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_role_name' \| cut -d" " -f3)

	SSO_ROLE_CREDS=$(aws sso get-role-credentials \
	--region ap-southeast-2 \
	--role-name "$SSO_ROLE_NAME" \
	--account-id "$SSO_ACCOUNT_ID" \
	--access-token "$SSO_ACCESS_TOKEN" \| jq .)

	SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.sessionToken)
	SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.accessKeyId)
	SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.secretAccessKey)

	echo "" >> ~/.aws/credentials
	echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
	echo "aws_session_token=$SSO_SESSION_TOKEN" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" \| tr -d '"' >> ~/.aws/credentials
	done;

	for SSO_PROFILE in "${KMS_SSO_PROFILES_ARRAY[@]}"
	do
	SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_account_id' \| cut -d" " -f3)
	SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_role_name' \| cut -d" " -f3)

	SSO_ROLE_CREDS=$(aws sso get-role-credentials \
	--region ap-southeast-2 \
	--role-name "$SSO_ROLE_NAME" \
	--account-id "$SSO_ACCOUNT_ID" \
	--access-token "$SSO_ACCESS_TOKEN" \| jq .)

	SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.sessionToken)
	SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.accessKeyId)
	SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.secretAccessKey)

	echo "" >> ~/.aws/credentials
	echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
	echo "aws_session_token=$SSO_SESSION_TOKEN" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" \| tr -d '"' >> ~/.aws/credentials
	done;