|
# Credentials as env vars: |
|
eval $(grep -A 2 "\[oghp\]" ~/.aws/credentials |tail -n +2 | awk '{ print "export " toupper($1) "=" $3 }') |
|
|
|
# Credentials CSV to AWS Creds file. |
|
CSVFILE="/Users/ted/Downloads/credentials.csv" |
|
PROFILE=hp |
|
CREDSFILE=~/.aws/credentials |
|
csv() { |
|
set +o pipefail |
|
local FIELD="${1}" |
|
tail -n 1 "${CSVFILE}" |cut -d "," -f "${FIELD}" |
|
} |
|
echo "[${PROFILE}]" >> $CREDSFILE |
|
echo "aws_access_key_id =" $(csv 3) >> $CREDSFILE |
|
echo "aws_secret_access_key =" $(csv 4) >> $CREDSFILE |
|
|
|
# Generate an aws access-key secret: |
|
IAMUSER=jenkins |
|
KEY="$(aws iam create-access-key --user-name "${IAMUSER}")" |
|
KEYID="$(echo "${KEY}" |jq -r .AccessKey.AccessKeyId)" |
|
KEYSECRET="$(echo "${KEY}" |jq -r .AccessKey.SecretAccessKey)" |
|
kubectl create secret generic "aws-${IAMUSER}" --from-literal "AWS_ACCESS_KEY_ID=${KEYID}" --from-literal "AWS_SECRET_ACCESS_KEY=${KEYSECRET}" |
|
|
|
# Reads a MFA token, stores in MFATOKEN |
|
mfa-token() { |
|
if [[ -n "${ZSH_VERSION}" ]] ; then |
|
read -s "MFATOKEN?MFA Token? " |
|
else |
|
read -sp "MFA Token? " MFATOKEN |
|
echo |
|
fi |
|
} |
|
|
|
# AWS MFA Function |
|
mfa-aws() { |
|
local MFAPROFILE="${MFAPROFILE:-login}" |
|
local TEMPPROFILE="${TEMPPROFILE:-default}" |
|
echo "Authenticating profile ${TEMPPROFILE}..." |
|
mfa-token |
|
local mfatoken="${MFATOKEN}" |
|
# Name of MFA device is just our username, munged. |
|
local MFADEVICE |
|
MFADEVICE=$(aws sts get-caller-identity --profile "${MFAPROFILE}" |jq -r .Arn | sed s/user/mfa/) |
|
# Use the token to get a short-lived session token. |
|
local shorttoken |
|
if ! shorttoken=$(aws sts get-session-token --profile "${MFAPROFILE}" --serial-number "${MFADEVICE}" --token "${mfatoken}") |
|
then |
|
echo "MFA Login Failed. Try again with a new token" |
|
return 1 |
|
fi |
|
aws configure set "profile.${TEMPPROFILE}.aws_access_key_id" "$(echo "$shorttoken" | jq -r .Credentials.AccessKeyId)" |
|
aws configure set "profile.${TEMPPROFILE}.aws_secret_access_key" "$(echo "$shorttoken" | jq -r .Credentials.SecretAccessKey)" |
|
aws configure set "profile.${TEMPPROFILE}.aws_session_token" "$(echo "$shorttoken" | jq -r .Credentials.SessionToken)" |
|
echo "Session expires at $(echo "$shorttoken" |jq -r .Credentials.Expiration)" |
|
local id |
|
id="$(aws sts get-caller-identity --profile "${TEMPPROFILE}")" |
|
echo $id |
|
# Set up AWS ECR Docker Login. This hardcodes the region, which is good enough for now. |
|
# This command is for AWSCLI v2, which is the default for brew on osx. On linux machines you may be lagging; on windows please update. |
|
# aws ecr get-login-password --profile "${TEMPPROFILE}" --region us-east-1 | docker login --username AWS --password-stdin "$(echo $id | jq -r .Account).dkr.ecr.us-east-1.amazonaws.com" |
|
} |
|
|
|
# Use with an AWS Config like: |
|
# [profile dev] |
|
# role_arn = arn:aws:iam::768009573690:role/swch_admin |
|
# source_profile = swch |
|
|
|
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html |
|
# The above does not work if an MFA token is required to assume roles, however, and "chained" session tokens are limited to a short maximum. |
|
mfa-aws-profile() { |
|
local roleprofile="$1" |
|
local MFAPROFILE |
|
if ! MFAPROFILE=${MFAPROFILE:-$(aws configure get "profile.${roleprofile}.source_profile")} |
|
then |
|
echo "Either ${roleprofile}.source_profile must be set (in ~/.aws/config) or MFAPROFILE must be set" |
|
return |
|
fi |
|
local role_arn |
|
role_arn="$(aws configure get "profile.${roleprofile}.role_arn")" |
|
local mfatoken |
|
read -sp "MFA Token? " mfatoken |
|
# On ZSH, replace the above with: |
|
# read -s "?MFA Token? " mfatoken |
|
echo |
|
# Name of MFA device is just our username, munged. Using "Default" identity. |
|
local mfadevice |
|
mfadevice=$(aws sts get-caller-identity --profile "${MFAPROFILE}" |jq -r .Arn | sed s/user/mfa/) |
|
# Use the token to get a session token. |
|
local shorttoken |
|
shorttoken=$(aws sts assume-role --profile "${MFAPROFILE}" --role-arn="${role_arn}" --role-session-name="${USER}@${HOSTNAME}" --serial-number "${mfadevice}" --token "${mfatoken}" --duration 21600) |
|
aws configure set profile.${roleprofile}.aws_access_key_id $(echo $shorttoken | jq -r .Credentials.AccessKeyId) |
|
aws configure set profile.${roleprofile}.aws_secret_access_key $(echo $shorttoken | jq -r .Credentials.SecretAccessKey) |
|
aws configure set profile.${roleprofile}.aws_session_token $(echo $shorttoken | jq -r .Credentials.SessionToken) |
|
aws sts get-caller-identity --profile ${roleprofile} |
|
} |