Skip to content

Instantly share code, notes, and snippets.

@RichardBronosky RichardBronosky/README.md
Last active Nov 10, 2019

Embed
What would you like to do?
AWS Assume-Role requiring only aws-cli and jq

Assume-Role

AWS Assume-Role requiring only aws-cli and jq

Installation

Basic

git clone https://gist.github.com/80306011bb5da80c765ffd6aa2ecf89b.git arole
ln -s $PWD/arole/arole /usr/local/bin

Suggested: sourcing the script in ~/.bash_profile

After completing the 2 commands above...

cat >> ~/.bash_profile <<EOF 

[[ -f /usr/local/bin/arole ]] && source /usr/local/bin/arole
EOF

Usage

Sourcing the script in ~/.bash_profile and calling the function directly

Functions ran in your interactive shell can modify the environment of your shell. Because of this, I suggest using it in this way.

arole dev

Traditional Script Execution

Because child processes cannot modify the environment of thier parent, you must eval the output of the execcutable.

eval $(arole dev)

Testing

The script has its own mock function within it. It can be used for testing by setting the MOCK_AWS environment variable.

$ MOCK_AWS=1 ./assrole dev
export AWS_ASSUMED_ROLE_ACCOUNT_ID="485548554855"
export AWS_ASSUMED_ROLE_ACCOUNT="dev"
export AWS_ASSUMED_ROLE_ID="AROAIWL33TL33TL33TL33:brunobronosky"
export AWS_ASSUMED_ROLE_ARN="arn:aws:sts::485548554855:assumed-role/allow-full-access-from-other-accounts/brunobronosky"
export AWS_SECRET_ACCESS_KEY="L33TL33TL33TL33TL33TL33TL33TL33TL33TL33T"
export AWS_SESSION_TOKEN="L33TL33TL33TEI///////////L33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tm9/TL33TL33TL33TL33T/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tz9/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TS/TL33TL33TL33TL33TL33TL33TL33TL33TL33T/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tos/TL33TL33TL33TL33TL33TL33TL33T/A=="
export AWS_EXPIRATION="2019-11-01T00:00:00Z"
export AWS_ACCESS_KEY_ID="ASIAL33TL33TL33TL33T"
#!/bin/bash -eu
function arole(){
local arole_tmp=/tmp/aws-role-${1:-}.sh
(
if [[ -n ${MOCK_AWS:-} ]]; then
function aws(){
<<<"H4sIAJcFxV0AA5WS0UvDMBDG3/0z8rzQ1jlwgT0E2UNRENaK4FvW3rAszcldypyj/7vpRnFuTmvI7+Uj33fHXXZCMzc1lAu08MRAQu2OpbQUSujFo06fH8bj/Ai1pMbhktAhr7diJDS58NaQU2bDij0rdXM7mfQoc0iVFGIjYy1u5KqxVpqiAGa5Iqwl+legTsHGeY6+l2hH4o6gBOcrY7lrNIOCwOt9wD1sQ/mTJi8S+s2CqUKX4xrciXOeRl9naGRPPY3OtHPlEh8/uP8iG2b5f/BQkH/PjvRsFiY+f3+ryPgw9DDv6ziZyiSRcZLHsdrfl+4X9cs8/Lws1Wera9urTy2VCbm3AgAA" base64 -d | gzip -d | jq .
}
fi
unset ASSUMED_ROLE ASSUMED_ACCOUNT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SECURITY_TOKEN AWS_SESSION_TOKEN
echo '{"a":{"Account": "'${1:-}'"}}'
local mfa_serial="$( aws configure get --profile=${1:-} mfa_serial)"
if [[ -n $mfa_serial ]]; then
mfa_serial="
--serial-number $mfa_serial
--token-code $(mfa 2>/dev/null)"
fi
local role_arn="$( aws configure get --profile=${1:-} role_arn)"
if [[ -n $role_arn ]]; then
role_arn="
--role-arn $role_arn"
fi
aws sts assume-role $mfa_serial $role_arn \
--role-session-name "$( ( id -un; date +-%Y-%m-%d+%H.%M.%S ) | tr -d '\n' )"
) | jq -s -r '
def export:
"export " + .;
def prefix:
"AWS" + . | sub("(?<a>ARN|ACCOUNT)"; "ASSUMED_ROLE_"+.a);
def snake_case:
.key | gsub("(?<a>[A-Z])"; "_"+.a) | ascii_upcase | prefix;
def equals_value:
"=\"" + .value + "\"";
def account:
{"Account": "dev"};
def account_id:
{"AccountId": (.Arn | sub("([^:]*:){4}(?<a>[0-9]*):.*";.a))};
[(add|add) | account_id,.] | add | to_entries[] | snake_case + equals_value | export
' > $arole_tmp
if [[ ${AROLE_EVAL:-1} = 1 && -z ${MOCK_AWS:-} ]]; then
eval $(cat $arole_tmp)
else
cat $arole_tmp
fi
}
[[ $0 == $BASH_SOURCE ]] && AROLE_EVAL=0 arole "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.