Last active
June 8, 2022 11:11
-
-
Save adsanz/a9543e335ee630d13bd73f0c6972bee9 to your computer and use it in GitHub Desktop.
Script to automatically generate valid MFA authenticated credentials on AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Exit on error | |
set -e | |
## COLORS ## | |
cecho(){ | |
RED="\033[0;31m" | |
GREEN="\033[0;32m" | |
YELLOW="\033[1;33m" | |
# ... ADD MORE COLORS | |
NC="\033[0m" # No Color | |
# ZSH | |
# printf "${(P)1}${2} ${NC}\n" | |
# Bash | |
printf "${!1}${2} ${NC}\n" | |
} | |
usage="$(basename "$0") [-p AWS profile ] [-t MFA token] -- Get valid MFA signed credentials using STS | |
arguments: | |
-p Is the AWS profile that's going to be used to generate valid credentials | |
-t Is the MFA token you get from your virtual device | |
This script requires the next tools to be installed | |
- jq: A tool to manage JSON https://stedolan.github.io/jq/download/ | |
- aws cli: The AWS cli used to generate valid credentials https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html | |
System requirements: | |
- GNU sed | |
- grep | |
User is required to have a profile already configured to make use of this script. You will also need an MFA ARN (More info on https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html) | |
Warning: This script has been tested on Linux, it will not work on Windows, and has not been tested on Mac" | |
SERIAL_NUMBER="YOU-MFA-ARN" | |
CREDS_FILE=~/.aws/credentials | |
## Check if no argument supplied | |
if [ $# -eq 0 ]; then | |
echo "No arguments provided" | |
echo "$usage" | |
exit 1 | |
fi | |
## GET ARGS | |
while getopts p:t: opts; do | |
case ${opts} in | |
p) PROFILE=${OPTARG} ;; | |
t) TOKEN=${OPTARG} ;; | |
:) printf "missing argument for -%s\n" "$OPTARG" >&2 | |
echo "$usage" | |
exit 1 | |
;; | |
\?) printf "illegal option: -%s\n" "$OPTARG" >&2 | |
echo "$usage" | |
exit 1 | |
;; | |
esac | |
done | |
## Check if jq and aws cli are installed | |
which aws | grep -o aws > /dev/null || cecho "RED" "AWS cli is not installed" && exit 1 | |
which jq | grep -o jq > /dev/null || cecho "RED" "JQ is not installed" && exit 1 | |
aws --profile ${PROFILE} sts get-session-token --serial-number ${SERIAL_NUMBER} --token-code ${TOKEN} > .creds_tmp.json | |
cecho "GREEN" "[*] Formatting credentials" | |
AWS_KEY=$(jq -r '.Credentials.AccessKeyId' < .creds_tmp.json) | |
cecho "GREEN" "[*] Key generated successfully!" | |
AWS_SECRET=$(jq -r '.Credentials.SecretAccessKey' < .creds_tmp.json) | |
cecho "GREEN" "[*] Secret generated successfully!" | |
AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' < .creds_tmp.json) | |
cecho "GREEN" "[*] Session token generated successfully!" | |
EXPIRATION=$(jq -r '.Credentials.Expiration' < .creds_tmp.json) | |
rm -fr .creds_tmp.json | |
cecho "GREEN" "[*] Generating profile" | |
if grep -RP '\['${PROFILE}'_sts\]' ${CREDS_FILE} | |
then | |
cecho "YELLOW" "[*] Profile found" | |
cecho "GREEN" "[*] Re-generating profile on ${CREDS_FILE}" | |
sed -r -i -e ':a;N;$!ba;s~(\['${PROFILE}'_sts\]\n)(aws_access_key_id\s*=\s*)([A-Z0-9]{1,})\n(aws_secret_access_key\s*=\s*)([A-Za-z0-9\/\+\=]{1,})\n(aws_session_token\s*=\s*)([A-Za-z0-9\/\+\=]{1,})~\1\2'${AWS_KEY}'\n\4'${AWS_SECRET}'\n\6'${AWS_SESSION_TOKEN}'~g' ${CREDS_FILE} | |
cecho "GREEN" "[*] Replaced as \"${PROFILE}_sts\" on ${CREDS_FILE}" | |
else | |
cecho "YELLOW" "[*] Profile not found" | |
cecho "GREEN" "[*] Adding to ${CREDS_FILE}" | |
echo -n """ | |
[${PROFILE}_sts] | |
aws_access_key_id=${AWS_KEY} | |
aws_secret_access_key=${AWS_SECRET} | |
aws_session_token=${AWS_SESSION_TOKEN} | |
""" >> "$CREDS_FILE" | |
cecho "GREEN" "[*] Added as \"${PROFILE}_sts\" on ${CREDS_FILE}" | |
fi | |
cecho "GREEN" "[*] You now can use AWS cli with profile [${PROFILE}_sts], credentials will expire on:" && cecho "YELLOW" "[*] -----> ${EXPIRATION}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment