Last active
June 30, 2020 10:09
-
-
Save soblom/88141de214b1d07910a0830362cad9b4 to your computer and use it in GitHub Desktop.
AWS Temporary Credits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -o pipefail | |
| YK_MFA_NAME=$1 | |
| BASE_PROFILE=$2 | |
| AWS_CREDENTIALS_FILE="$HOME/.aws/credentials" | |
| function get_missing_base_info() { | |
| while [ -z "$YK_MFA_NAME" ]; do | |
| echo "Enter Token Name on YubiKey:" | |
| read -re YK_MFA_NAME | |
| done | |
| while [ -z "$BASE_PROFILE" ]; do | |
| echo "Enter Name of Base Profile:" | |
| read -re BASE_PROFILE | |
| done | |
| } | |
| function get_topt() { | |
| set +e | |
| AWS_MFA_SERIAL=$(aws configure get mfa_serial --profile "$BASE_PROFILE") | |
| if [ ! "$AWS_MFA_SERIAL" ]; then | |
| echo "Could not find AWS MFA Serial for profile \"$BASE_PROFILE\"" | |
| exit 1 | |
| fi | |
| OTP_TOKEN=$(ykman oath code "$YK_MFA_NAME" | awk '{print $2}') | |
| if [ -z "$OTP_TOKEN" ]; then | |
| echo "Something went wrong getting a token from your YubiKey." | |
| exit 1 | |
| fi | |
| set -e | |
| } | |
| function get_session_token() { | |
| echo "Getting Session Token from AWS" | |
| set +e | |
| SESSION_CREDS=$(aws sts get-session-token \ | |
| --serial-number "$AWS_MFA_SERIAL" \ | |
| --profile "$BASE_PROFILE" \ | |
| --token-code "$OTP_TOKEN") | |
| if [ -z "$SESSION_CREDS" ]; then | |
| echo "Something went wrong getting a session token." | |
| exit 1 | |
| fi | |
| set -e | |
| } | |
| function parse_session_credentials() { | |
| SESSION_VARS=($(jq -r '.Credentials | .AccessKeyId, .SecretAccessKey, .SessionToken, .Expiration' <<<"$SESSION_CREDS")) | |
| } | |
| function prepare_credentials_file() { | |
| local mfa_section=false | |
| local content='' | |
| while read -r line; do | |
| if [ $mfa_section = false ]; then | |
| [ "$line" = "[mfa]" ] && mfa_section=true || content+="$line"$'\n' | |
| else | |
| [[ "$line" =~ ^\[.*\] ]] && mfa_section=false && content+="$line"$'\n' | |
| fi | |
| echo "$content" | |
| done <"$AWS_CREDENTIALS_FILE" | |
| content+="[mfa]"$'\n' | |
| content+="aws_access_key_id = ${SESSION_VARS[0]}"$'\n' | |
| content+="aws_secret_access_key = ${SESSION_VARS[1]}"$'\n' | |
| content+="aws_session_token = ${SESSION_VARS[2]}" | |
| echo "$content"# >"$AWS_CREDENTIALS_FILE.tmp" | |
| } | |
| set -e | |
| get_missing_base_info | |
| get_topt | |
| get_session_token | |
| parse_session_credentials | |
| prepare_credentials_file | |
| echo "Updating credentials file" | |
| echo "Token valid until ${SESSION_VARS[3]}" | |
| mv "$AWS_CREDENTIALS_FILE.tmp" "$AWS_CREDENTIALS_FILE" | |
| exit 0 | |
| : <<'END_OF_DOCS' | |
| =head1 NAME | |
| aws-login -- Request temporary AWS credentials | |
| =head1 SYNOPSIS | |
| aws-login [OATH NAME] [AWS BASE PROFILE] | |
| =head1 DESCRIPTION | |
| aws-login gets temporary credentials for an AWS base | |
| profile using Multifactor Authentication. | |
| The script depends on the AWS CLI tools (aws) and the | |
| YubiKey Manager CLI (ykam) being installed. | |
| OATH NAME | |
| The name of the virtual MFA key stored on the | |
| YubiKey to be used. If not provided as a | |
| parameter, the script will ask for it. | |
| AWS BASE PROFILE | |
| The profile name with which temporary credentials | |
| should be obtained. If not provided as a | |
| parameter, the script will ask for it. | |
| The virtual MFA key needs to be associated with the | |
| account of the AWS BASE PROFILE | |
| If the script can obtain temporary credentials | |
| succesfully, it will update the ~/.aws/credentials file | |
| to included a [mfa] section. | |
| =head1 COPYRIGHT | |
| (c) 2020 Soeren Blom (@soblom) | |
| =cut | |
| END_OF_DOCS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment