JoanBelder/aws-mfa

## aws-mfa
#!/bin/bash
# Do multi-factor authentication for an aws CLI profile.
set -euo pipefail
shopt -s inherit_errexit


function print_help() {
  echo "Do multi-factor authentication for an aws CLI profile."
  echo ""
  echo "Usage:"
  echo "  ./aws-mfa [--profile=default] [--code=12356]"
  echo ""
  echo "Example commnd:"
  echo "  . <(./aws-mfa --profile=production)"
  echo ""
  echo "Available command line switches"
  echo ""
  echo "  -p, --profile     Select which AWS profile to use."
  echo "                    This will use the AWS profile from your ~/.aws/credentials"
  echo "                    file. If this option is omitted the 'default' profile"
  echo "                    will be used."
  echo "                    For example to use the name profile 'production'  add the"
  echo "                    switch '--profile=production'"
  echo ""
  echo "  -c, --code        Use this MFA code to login."
  echo "                    The MFA code will be used when loggin in. When this option"
  echo "                    is script will ask for the MFA code interactively."
  echo ""
  echo "  -h, --help        Print this help."
  exit 0;
}

profile="default"
code=""
for i in "$@"; do
case $i in
    -p=*|--profile=*)
      profile="${i#*=}"
    ;;
    -c=*|--code=*)
      code="${i#*=}"
    ;;
    -h|--help)
      print_help
    ;;
    *)
      echo "Unknown option: ${i#}. On how to use use the --help switch" 1>&2;
      exit 1;
    ;;
esac
done

echo "# Trying to login using $profile aws credentials" 1>&2;

identity=$(aws sts get-caller-identity "--profile=$profile" --output=text)
account=$(echo "$identity" | cut -f1)

devices=$(aws iam list-mfa-devices "--profile=$profile" --output=text)
username=$(echo "$devices" | cut -f4)
mfa=$(echo "$devices" | cut -f3)

if [[ -z "$mfa" ]]; then
   arn=$(echo "$identity" | cut -f2)
   echo ""
   echo "No MFA device attached for $arn." 1>&2
   echo "Are you using the right environment, or is MFA even enabled?" 1>&2
   echo "To use a specific AWS profile use the '--profile=something' switch." 1>&2
   echo "For more information run this command using the --help option" 1>&2
   exit 1;
fi

echo "# Using username $username for AWS account $account" 1>&2;

if [[ -z "$code" ]]; then
  echo -n "# Enter your mfa code: " 1>&2;
  read -r
  code="$REPLY"
fi

token=$(aws sts get-session-token "--serial-number=$mfa" "--token-code=$code" "--profile=$profile" --output=text)

access_key_id=$(echo "$token" | cut -f2)
secret_access_key=$(echo "$token" | cut -f4)
session_token=$(echo "$token" | cut -f5)

echo "# Authentication was succesful." 1>&2;
echo "# Run these commands in the console to actually login. To skip this step you can run next time: '. \<(~/aws-mfa --profile=$profile)'";
echo "export AWS_ACCESS_KEY_ID=\"$access_key_id\""
echo "export AWS_SECRET_ACCESS_KEY=\"$secret_access_key\""
echo "export AWS_SESSION_TOKEN=\"$session_token\""
	#!/bin/bash
	# Do multi-factor authentication for an aws CLI profile.
	set -euo pipefail
	shopt -s inherit_errexit


	function print_help() {
	echo "Do multi-factor authentication for an aws CLI profile."
	echo ""
	echo "Usage:"
	echo " ./aws-mfa [--profile=default] [--code=12356]"
	echo ""
	echo "Example commnd:"
	echo " . <(./aws-mfa --profile=production)"
	echo ""
	echo "Available command line switches"
	echo ""
	echo " -p, --profile Select which AWS profile to use."
	echo " This will use the AWS profile from your ~/.aws/credentials"
	echo " file. If this option is omitted the 'default' profile"
	echo " will be used."
	echo " For example to use the name profile 'production' add the"
	echo " switch '--profile=production'"
	echo ""
	echo " -c, --code Use this MFA code to login."
	echo " The MFA code will be used when loggin in. When this option"
	echo " is script will ask for the MFA code interactively."
	echo ""
	echo " -h, --help Print this help."
	exit 0;
	}

	profile="default"
	code=""
	for i in "$@"; do
	case $i in
	-p=\|--profile=)
	profile="${i#*=}"
	;;
	-c=\|--code=)
	code="${i#*=}"
	;;
	-h\|--help)
	print_help
	;;
	*)
	echo "Unknown option: ${i#}. On how to use use the --help switch" 1>&2;
	exit 1;
	;;
	esac
	done

	echo "# Trying to login using $profile aws credentials" 1>&2;

	identity=$(aws sts get-caller-identity "--profile=$profile" --output=text)
	account=$(echo "$identity" \| cut -f1)

	devices=$(aws iam list-mfa-devices "--profile=$profile" --output=text)
	username=$(echo "$devices" \| cut -f4)
	mfa=$(echo "$devices" \| cut -f3)

	if [[ -z "$mfa" ]]; then
	arn=$(echo "$identity" \| cut -f2)
	echo ""
	echo "No MFA device attached for $arn." 1>&2
	echo "Are you using the right environment, or is MFA even enabled?" 1>&2
	echo "To use a specific AWS profile use the '--profile=something' switch." 1>&2
	echo "For more information run this command using the --help option" 1>&2
	exit 1;
	fi

	echo "# Using username $username for AWS account $account" 1>&2;

	if [[ -z "$code" ]]; then
	echo -n "# Enter your mfa code: " 1>&2;
	read -r
	code="$REPLY"
	fi

	token=$(aws sts get-session-token "--serial-number=$mfa" "--token-code=$code" "--profile=$profile" --output=text)

	access_key_id=$(echo "$token" \| cut -f2)
	secret_access_key=$(echo "$token" \| cut -f4)
	session_token=$(echo "$token" \| cut -f5)

	echo "# Authentication was succesful." 1>&2;
	echo "# Run these commands in the console to actually login. To skip this step you can run next time: '. \<(~/aws-mfa --profile=$profile)'";
	echo "export AWS_ACCESS_KEY_ID=\"$access_key_id\""
	echo "export AWS_SECRET_ACCESS_KEY=\"$secret_access_key\""
	echo "export AWS_SESSION_TOKEN=\"$session_token\""