Skip to content

Instantly share code, notes, and snippets.

@JoanBelder
Created March 1, 2021 12:14
Show Gist options
  • Save JoanBelder/c553ad05f0c820febe0ce9ee0ab1b59e to your computer and use it in GitHub Desktop.
Save JoanBelder/c553ad05f0c820febe0ce9ee0ab1b59e to your computer and use it in GitHub Desktop.
Do multi-factor authentication for an aws CLI profile.
#!/bin/bash
# Do multi-factor authentication for an aws CLI profile.
set -euo pipefail
shopt -s inherit_errexit
function print_help() {
echo "Do multi-factor authentication for an aws CLI profile."
echo ""
echo "Usage:"
echo " ./aws-mfa [--profile=default] [--code=12356]"
echo ""
echo "Example commnd:"
echo " . <(./aws-mfa --profile=production)"
echo ""
echo "Available command line switches"
echo ""
echo " -p, --profile Select which AWS profile to use."
echo " This will use the AWS profile from your ~/.aws/credentials"
echo " file. If this option is omitted the 'default' profile"
echo " will be used."
echo " For example to use the name profile 'production' add the"
echo " switch '--profile=production'"
echo ""
echo " -c, --code Use this MFA code to login."
echo " The MFA code will be used when loggin in. When this option"
echo " is script will ask for the MFA code interactively."
echo ""
echo " -h, --help Print this help."
exit 0;
}
profile="default"
code=""
for i in "$@"; do
case $i in
-p=*|--profile=*)
profile="${i#*=}"
;;
-c=*|--code=*)
code="${i#*=}"
;;
-h|--help)
print_help
;;
*)
echo "Unknown option: ${i#}. On how to use use the --help switch" 1>&2;
exit 1;
;;
esac
done
echo "# Trying to login using $profile aws credentials" 1>&2;
identity=$(aws sts get-caller-identity "--profile=$profile" --output=text)
account=$(echo "$identity" | cut -f1)
devices=$(aws iam list-mfa-devices "--profile=$profile" --output=text)
username=$(echo "$devices" | cut -f4)
mfa=$(echo "$devices" | cut -f3)
if [[ -z "$mfa" ]]; then
arn=$(echo "$identity" | cut -f2)
echo ""
echo "No MFA device attached for $arn." 1>&2
echo "Are you using the right environment, or is MFA even enabled?" 1>&2
echo "To use a specific AWS profile use the '--profile=something' switch." 1>&2
echo "For more information run this command using the --help option" 1>&2
exit 1;
fi
echo "# Using username $username for AWS account $account" 1>&2;
if [[ -z "$code" ]]; then
echo -n "# Enter your mfa code: " 1>&2;
read -r
code="$REPLY"
fi
token=$(aws sts get-session-token "--serial-number=$mfa" "--token-code=$code" "--profile=$profile" --output=text)
access_key_id=$(echo "$token" | cut -f2)
secret_access_key=$(echo "$token" | cut -f4)
session_token=$(echo "$token" | cut -f5)
echo "# Authentication was succesful." 1>&2;
echo "# Run these commands in the console to actually login. To skip this step you can run next time: '. \<(~/aws-mfa --profile=$profile)'";
echo "export AWS_ACCESS_KEY_ID=\"$access_key_id\""
echo "export AWS_SECRET_ACCESS_KEY=\"$secret_access_key\""
echo "export AWS_SESSION_TOKEN=\"$session_token\""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment