strebitz · February 9, 2021 15:05 · russellballestrini · Oct 6, 2020
diff --git a/aws-sts-functions.sh b/aws-sts-functions.sh
 #!/bin/bash

 # Add these functions to your bash_profile or bash_rc
 # Dependencies:
 #   - awscli - AWS command line client
 #   - jq - Command-line JSON processor

 function cfn-validate-template() {
 for template in $@
 do
  aws cloudformation validate-template --template-body file://${template}
 done
 }

 function get-mfa-serial() {
 AWSCLI_PROFILE="default"

 OPTIND=1
 while getopts ":p:" opt
 do
  case ${opt} in
    p)
      AWSCLI_PROFILE="profile ${OPTARG}"
      ;;
    \?)
      echo "Invalid option: -${OPTARG}" >&2
      return 1
      ;;
    :)
      echo "Error: Option -${OPTARG} requires an argument" >&2
      return 1
      ;;
  esac
 done

 awk -F' = ' -v section="[${AWSCLI_PROFILE}]" -v key="mfa_serial" '$0==section{ line=1; next } /\[/{ line=0; next } line && $1==key{ gsub("mfa_serial = ", "",$0); print $0 }' ~/.aws/config
 }

 function get-session-token() {
 AWSMFA_SERIAL="$(get-mfa-serial)"
 AWSCLI_STS_COMMAND="get-session-token"

 unset AWSCLI_OPTIONS
 unset AWSCLI_STS_OPTIONS
 unset AWSMFA_CREDENTIALS

 OPTIND=1
 while getopts ":p:r:h" opt
 do
  case ${opt} in
    h)
      echo "Usage: get-session-token [-p awscli-profile] [-r AWS_IAM_ROLE_ARN] | -h"
      echo -e "  -h\tprint this help screen"
      echo -e "  -p\trequest credentials using the given awscli profile instead of the default one"
      echo -e "  -r\trequest credentials for the given IAM role ARN - can be combined with option '-p'"
      return 0
      ;;
    p)
      AWSCLI_OPTIONS=( "${AWSCLI_OPTIONS[@]}" "--profile ${OPTARG}" )
      AWSMFA_SERIAL="$(get-mfa-serial -p ${OPTARG})"
      ;;
    r)
      AWSCLI_STS_COMMAND="assume-role"
      AWSCLI_STS_OPTIONS=( "${AWSCLI_STS_OPTIONS[@]}" "--role-arn ${OPTARG}" )
      AWSCLI_STS_OPTIONS=( "${AWSCLI_STS_OPTIONS[@]}" "--role-session-name ${USER}" )
      ;;
    \?)
      echo "Invalid option: -${OPTARG}" >&2
      return 1
      ;;
    :)
      unset OPTARG_DESCRIPTION

      case ${OPTARG} in
        p)
          OPTARG_DESCRIPTION="aws-cli profile"
          ;;
        r)
          OPTARG_DESCRIPTION="aws iam role-arn"
          ;;
      esac

      echo "Error: Option -${OPTARG} requires an argument: '${OPTARG_DESCRIPTION}'" >&2
      return 1
      ;;
  esac
 done

 if [ -n "${AWSMFA_SERIAL}" ]
 then
  read -s -p "Enter MFA code: " token_code && echo 
  AWSMFA_CREDENTIALS=( "--serial-number ${AWSMFA_SERIAL}" "--token-code ${token_code}" )
 fi

 reset-session-token
 aws_session_information=$(aws ${AWSCLI_OPTIONS[@]} sts ${AWSCLI_STS_COMMAND} ${AWSCLI_STS_OPTIONS[@]} ${AWSMFA_CREDENTIALS[@]})

 export AWS_ACCESS_KEY_ID=$(echo ${aws_session_information} | jq -r .Credentials.AccessKeyId)
 export AWS_SECRET_ACCESS_KEY=$(echo ${aws_session_information} | jq -r .Credentials.SecretAccessKey)
 export AWS_SESSION_TOKEN=$(echo ${aws_session_information} | jq -r .Credentials.SessionToken)
 }

 function reset-session-token() {
 for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 do
  unset ${var}
 done
 }
	#!/bin/bash

	# Add these functions to your bash_profile or bash_rc
	# Dependencies:
	# - awscli - AWS command line client
	# - jq - Command-line JSON processor

	function cfn-validate-template() {
	for template in $@
	do
	aws cloudformation validate-template --template-body file://${template}
	done
	}

	function get-mfa-serial() {
	AWSCLI_PROFILE="default"

	OPTIND=1
	while getopts ":p:" opt
	do
	case ${opt} in
	p)
	AWSCLI_PROFILE="profile ${OPTARG}"
	;;
	\?)
	echo "Invalid option: -${OPTARG}" >&2
	return 1
	;;
	:)
	echo "Error: Option -${OPTARG} requires an argument" >&2
	return 1
	;;
	esac
	done

	awk -F' = ' -v section="[${AWSCLI_PROFILE}]" -v key="mfa_serial" '$0==section{ line=1; next } /\[/{ line=0; next } line && $1==key{ gsub("mfa_serial = ", "",$0); print $0 }' ~/.aws/config
	}

	function get-session-token() {
	AWSMFA_SERIAL="$(get-mfa-serial)"
	AWSCLI_STS_COMMAND="get-session-token"

	unset AWSCLI_OPTIONS
	unset AWSCLI_STS_OPTIONS
	unset AWSMFA_CREDENTIALS

	OPTIND=1
	while getopts ":p:r:h" opt
	do
	case ${opt} in
	h)
	echo "Usage: get-session-token [-p awscli-profile] [-r AWS_IAM_ROLE_ARN] \| -h"
	echo -e " -h\tprint this help screen"
	echo -e " -p\trequest credentials using the given awscli profile instead of the default one"
	echo -e " -r\trequest credentials for the given IAM role ARN - can be combined with option '-p'"
	return 0
	;;
	p)
	AWSCLI_OPTIONS=( "${AWSCLI_OPTIONS[@]}" "--profile ${OPTARG}" )
	AWSMFA_SERIAL="$(get-mfa-serial -p ${OPTARG})"
	;;
	r)
	AWSCLI_STS_COMMAND="assume-role"
	AWSCLI_STS_OPTIONS=( "${AWSCLI_STS_OPTIONS[@]}" "--role-arn ${OPTARG}" )
	AWSCLI_STS_OPTIONS=( "${AWSCLI_STS_OPTIONS[@]}" "--role-session-name ${USER}" )
	;;
	\?)
	echo "Invalid option: -${OPTARG}" >&2
	return 1
	;;
	:)
	unset OPTARG_DESCRIPTION

	case ${OPTARG} in
	p)
	OPTARG_DESCRIPTION="aws-cli profile"
	;;
	r)
	OPTARG_DESCRIPTION="aws iam role-arn"
	;;
	esac

	echo "Error: Option -${OPTARG} requires an argument: '${OPTARG_DESCRIPTION}'" >&2
	return 1
	;;
	esac
	done

	if [ -n "${AWSMFA_SERIAL}" ]
	then
	read -s -p "Enter MFA code: " token_code && echo
	AWSMFA_CREDENTIALS=( "--serial-number ${AWSMFA_SERIAL}" "--token-code ${token_code}" )
	fi

	reset-session-token
	aws_session_information=$(aws ${AWSCLI_OPTIONS[@]} sts ${AWSCLI_STS_COMMAND} ${AWSCLI_STS_OPTIONS[@]} ${AWSMFA_CREDENTIALS[@]})

	export AWS_ACCESS_KEY_ID=$(echo ${aws_session_information} \| jq -r .Credentials.AccessKeyId)
	export AWS_SECRET_ACCESS_KEY=$(echo ${aws_session_information} \| jq -r .Credentials.SecretAccessKey)
	export AWS_SESSION_TOKEN=$(echo ${aws_session_information} \| jq -r .Credentials.SessionToken)
	}

	function reset-session-token() {
	for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
	do
	unset ${var}
	done
	}