Skip to content

Instantly share code, notes, and snippets.

@tyagiakhilesh

tyagiakhilesh/aws-creds.bash

Forked from ddgenome/aws-creds.bash
Created September 11, 2023 09:19
Show Gist options
  • Save tyagiakhilesh/6edcda7b17e630ab9b6e5af796099395 to your computer and use it in GitHub Desktop.
Save tyagiakhilesh/6edcda7b17e630ab9b6e5af796099395 to your computer and use it in GitHub Desktop.
Download ZIP
Fetch AWS STS keys and set environment variables
Raw
aws-creds.bash
#!/bin/bash
# Fetch 24-hour AWS STS session token and set appropriate environment variables.
# See http://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html .
# You must have jq installed and in your PATH https://stedolan.github.io/jq/ .
# Add this function to your .bashrc or save it to a file and source that file from .bashrc .
# https://gist.github.com/ddgenome/f13f15dd01fb88538dd6fac8c7e73f8c
#
# usage: aws-creds MFA_TOKEN [OTHER_AWS_STS_GET-SESSION-TOKEN_OPTIONS...]
function aws-creds () {
local pkg=aws-creds
if [[ ! $1 ]]; then
echo "$pkg: missing required argument: MFA_TOKEN" 1>&2
return 99
fi
export -n AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
local iam_user
if [[ $AWS_IAM_USER ]]; then
iam_user=$AWS_IAM_USER
else
iam_user=$(whoami)
if [[ $? -ne 0 || ! $iam_user ]]; then
echo "$pkg: failed to set IAM user: $iam_user"
return 10
fi
fi
local aws_account
if [[ $AWS_ACCOUNT ]]; then
aws_account=$AWS_ACCOUNT
else
aws_account=REPLACE_WITH_ACCOUNT_IF_YOU_DO_NOT_WANT_TO_SET_AWS_ACCOUNT
fi
local rv creds_json
creds_json=$(aws --output json sts get-session-token --duration-seconds 86400 --serial-number "arn:aws:iam::$aws_account:mfa/$iam_user" --token-code "$@")
rv="$?"
if [[ $rv -ne 0 || ! $creds_json ]]; then
echo "$pkg: failed to get credentials for user '$iam_user' account '$aws_account': $creds_json" 1>&2
return "$rv"
fi
local jq="jq --exit-status --raw-output"
AWS_ACCESS_KEY_ID=$(echo "$creds_json" | $jq .Credentials.AccessKeyId)
rv="$?"
if [[ $rv -ne 0 || ! $AWS_ACCESS_KEY_ID ]]; then
echo "$pkg: failed to parse output for AWS_ACCESS_KEY_ID: $creds_json" 1>&2
return "$rv"
fi
AWS_SECRET_ACCESS_KEY=$(echo "$creds_json" | $jq .Credentials.SecretAccessKey)
rv="$?"
if [[ $rv -ne 0 || ! $AWS_SECRET_ACCESS_KEY ]]; then
echo "$pkg: failed to parse output for AWS_SECRET_ACCESS_KEY: $creds_json" 1>&2
return "$rv"
fi
AWS_SESSION_TOKEN=$(echo "$creds_json" | $jq .Credentials.SessionToken)
rv="$?"
if [[ $rv -ne 0 || ! $AWS_SESSION_TOKEN ]]; then
echo "$pkg: failed to parse output for AWS_SESSION_TOKEN: $creds_json" 1>&2
return "$rv"
fi
export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID; AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY; AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN"
}
@tyagiakhilesh
Copy link
Author

tyagiakhilesh commented Sep 11, 2023
edited
Loading

Zsh equivalent for this is

AWS_IAM_USER=<>
AWS_ACCOUNT=<>

function aws-creds () {
    local pkg=aws-creds
    if [[ ! $1 ]]; then
        echo "$pkg: missing required argument: MFA_TOKEN" 1>&2
        return 99
    fi

    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
    local iam_user
    if [[ $AWS_IAM_USER ]]; then
        iam_user=$AWS_IAM_USER
    else
        iam_user=$(whoami)
        if [[ $? -ne 0 || ! $iam_user ]]; then
            echo "$pkg: failed to set IAM user: $iam_user"
            return 10
        fi
    fi
    local aws_account
    if [[ $AWS_ACCOUNT ]]; then
        aws_account=$AWS_ACCOUNT
    else
        aws_account=REPLACE_WITH_ACCOUNT_IF_YOU_DO_NOT_WANT_TO_SET_AWS_ACCOUNT
    fi

    local rv creds_json
    creds_json=$(aws --output json sts get-session-token --duration-seconds 86400 --serial-number "arn:aws:iam::$aws_account:mfa/$iam_user" --token-code "$@")
    echo $creds_json;
    rv=$(echo "$?")
    if [[ $rv -ne 0 || ! $creds_json ]]; then
        echo "$pkg: failed to get credentials for user '$iam_user' account '$aws_account': $creds_json" 1>&2
        return "$rv"
    fi

    #local jq="jq --exit-status --raw-output"
    local jq="jq"
    AWS_ACCESS_KEY_ID=$(echo "$creds_json" | $jq .Credentials.AccessKeyId | sed "s/\"/'/g")
    rv=$(echo "$?")
    if [[ $rv -ne 0 || ! $AWS_ACCESS_KEY_ID ]]; then
        echo "$pkg: failed to parse output for AWS_ACCESS_KEY_ID: $creds_json" 1>&2
        return "$rv"
    fi
    AWS_SECRET_ACCESS_KEY=$(echo "$creds_json" | $jq .Credentials.SecretAccessKey | sed "s/\"/'/g")
    rv=$(echo "$?")
    if [[ $rv -ne 0 || ! $AWS_SECRET_ACCESS_KEY ]]; then
        echo "$pkg: failed to parse output for AWS_SECRET_ACCESS_KEY: $creds_json" 1>&2
        return "$rv"
    fi
    AWS_SESSION_TOKEN=$(echo "$creds_json" | $jq .Credentials.SessionToken | sed "s/\"/'/g")
    rv=$(echo "$?")
    if [[ $rv -ne 0 || ! $AWS_SESSION_TOKEN ]]; then
        echo "$pkg: failed to parse output for AWS_SESSION_TOKEN: $creds_json" 1>&2
        return "$rv"
    fi

    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

    echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID; AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY; AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment