JPRuskin/Update-AWSSessionToken.ps1

## Update-AWSSessionToken.ps1
function Update-AWSSessionToken {
    [CmdletBinding()]
    param(
        # MFA Token IAM, e.g. arn:aws:iam::123456789012:mfa/james
        [string]$SerialNumber = "arn:aws:iam::...",

        # 6-digit output from your MFA token
        [ValidateLength(6,6)]
        [Parameter(Mandatory)]
        [string]$Token,

        # Ignores the cached token regardless of expiration
        [switch]$Refresh
    )
    begin {
        if (-not (Get-Command aws -ErrorAction SilentlyContinue)) {
            choco install awscli
        }
        if (-not (Test-Path ~/.aws/credentials)) {
            # Need to run "aws configure" before continuing.
        }
    }
    process {
        if ($Refresh -or -not $script:AwsToken -or [DateTime]$script:AwsToken.Expiration -lt (Get-Date)) {
            Write-Verbose "Updating Token"
            $script:AwsToken = (aws sts get-session-token --serial-number $SerialNumber --token-code $Token | ConvertFrom-Json).Credentials
        }

        Set-Item Env:\AWS_ACCESS_KEY_ID $($script:AwsToken.AccessKeyId)
        Set-Item Env:\AWS_SECRET_ACCESS_KEY $($script:AwsToken.SecretAccessKey)
        Set-Item Env:\AWS_SESSION_TOKEN $($script:AwsToken.SessionToken)
    }
}

## update_aws_session.sh
#!/bin/bash
# update_aws_session.sh
#   Requires jq and awscli to be installed
#   Assumes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_MFA_SERIAL are set with non-MFA values.
# Example:
#   . ./update_aws_session.sh 123123
#   Runs the script with the passed MFA token.

if [ -z "$AWS_MFA_SERIAL" ]
then
    AWS_MFA_SERIAL=arn:aws:iam::...
fi

# Check the cached token for expiry
tokenExpiration=0
if [ -a ~/.aws/token ]
then
    tokenExpiration=$(date -d $(cat ~/.aws/token | jq -r '.Expiration') +%s)
fi

# Update the cached token - if passed an MFA token, force refresh!
if [ ! -z "$1" -o "$tokenExpiration" -lt "$(date +%s)" ]
then
    if test ! -z "$1"
    then
        # Using first passed arg as $Token
        Token=$1
    else
        echo -e "Please enter the 2FA token for '$AWS_MFA_SERIAL':"
        read Token
    fi
    # unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
    aws sts get-session-token --profile default --serial-number $AWS_MFA_SERIAL --token-code $Token | jq -r '.Credentials' > ~/.aws/token
else
    # We can refresh the token without MFA!
    aws sts get-session-token | jq -r '.Credentials' > ~/.aws/token
fi

# Update the session environment variables
export AWS_SECRET_ACCESS_KEY=$(cat ~/.aws/token | jq -r '.SecretAccessKey')
export AWS_ACCESS_KEY_ID=$(cat ~/.aws/token | jq -r '.AccessKeyId')
export AWS_SESSION_TOKEN=$(cat ~/.aws/token | jq -r '.SessionToken')

if [[ $AWS_ACCESS_KEY_ID == '*/*' ]]
then
    # Needs to be regenerated, as many botocore SDKs fail with a forward-slash in the key
    . ./$0  # Call the script again, should work with cached keys this soon after the run
fi
	function Update-AWSSessionToken {
	[CmdletBinding()]
	param(
	# MFA Token IAM, e.g. arn:aws:iam::123456789012:mfa/james
	[string]$SerialNumber = "arn:aws:iam::...",

	# 6-digit output from your MFA token
	[ValidateLength(6,6)]
	[Parameter(Mandatory)]
	[string]$Token,

	# Ignores the cached token regardless of expiration
	[switch]$Refresh
	)
	begin {
	if (-not (Get-Command aws -ErrorAction SilentlyContinue)) {
	choco install awscli
	}
	if (-not (Test-Path ~/.aws/credentials)) {
	# Need to run "aws configure" before continuing.
	}
	}
	process {
	if ($Refresh -or -not $script:AwsToken -or [DateTime]$script:AwsToken.Expiration -lt (Get-Date)) {
	Write-Verbose "Updating Token"
	$script:AwsToken = (aws sts get-session-token --serial-number $SerialNumber --token-code $Token \| ConvertFrom-Json).Credentials
	}

	Set-Item Env:\AWS_ACCESS_KEY_ID $($script:AwsToken.AccessKeyId)
	Set-Item Env:\AWS_SECRET_ACCESS_KEY $($script:AwsToken.SecretAccessKey)
	Set-Item Env:\AWS_SESSION_TOKEN $($script:AwsToken.SessionToken)
	}
	}
	#!/bin/bash
	# update_aws_session.sh
	# Requires jq and awscli to be installed
	# Assumes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_MFA_SERIAL are set with non-MFA values.
	# Example:
	# . ./update_aws_session.sh 123123
	# Runs the script with the passed MFA token.

	if [ -z "$AWS_MFA_SERIAL" ]
	then
	AWS_MFA_SERIAL=arn:aws:iam::...
	fi

	# Check the cached token for expiry
	tokenExpiration=0
	if [ -a ~/.aws/token ]
	then
	tokenExpiration=$(date -d $(cat ~/.aws/token \| jq -r '.Expiration') +%s)
	fi

	# Update the cached token - if passed an MFA token, force refresh!
	if [ ! -z "$1" -o "$tokenExpiration" -lt "$(date +%s)" ]
	then
	if test ! -z "$1"
	then
	# Using first passed arg as $Token
	Token=$1
	else
	echo -e "Please enter the 2FA token for '$AWS_MFA_SERIAL':"
	read Token
	fi
	# unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
	aws sts get-session-token --profile default --serial-number $AWS_MFA_SERIAL --token-code $Token \| jq -r '.Credentials' > ~/.aws/token
	else
	# We can refresh the token without MFA!
	aws sts get-session-token \| jq -r '.Credentials' > ~/.aws/token
	fi

	# Update the session environment variables
	export AWS_SECRET_ACCESS_KEY=$(cat ~/.aws/token \| jq -r '.SecretAccessKey')
	export AWS_ACCESS_KEY_ID=$(cat ~/.aws/token \| jq -r '.AccessKeyId')
	export AWS_SESSION_TOKEN=$(cat ~/.aws/token \| jq -r '.SessionToken')

	if [[ $AWS_ACCESS_KEY_ID == '/' ]]
	then
	# Needs to be regenerated, as many botocore SDKs fail with a forward-slash in the key
	. ./$0 # Call the script again, should work with cached keys this soon after the run
	fi