Script to automatically generate valid MFA authenticated credentials on AWS

sts.sh

#!/bin/bash

# Exit on error
set -e

## COLORS ## 

cecho(){
    RED="\033[0;31m"
    GREEN="\033[0;32m"
    YELLOW="\033[1;33m"
    # ... ADD MORE COLORS
    NC="\033[0m" # No Color
    # ZSH
    # printf "${(P)1}${2} ${NC}\n"
    # Bash
    printf "${!1}${2} ${NC}\n"
}

usage="$(basename "$0") [-p AWS profile ] [-t MFA token] -- Get valid MFA signed credentials using STS

arguments:
    -p Is the AWS profile that's going to be used to generate valid credentials
    -t Is the MFA token you get from your virtual device

This script requires the next tools to be installed
    - jq: A tool to manage JSON https://stedolan.github.io/jq/download/
    - aws cli: The AWS cli used to generate valid credentials https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

System requirements:
    - GNU sed
    - grep

User is required to have a profile already configured to make use of this script. You will also need an MFA ARN (More info on https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html)

Warning: This script has been tested on Linux, it will not work on Windows, and has not been tested on Mac"


SERIAL_NUMBER="YOU-MFA-ARN"
CREDS_FILE=~/.aws/credentials

## Check if no argument supplied
if [ $# -eq 0 ]; then
    echo "No arguments provided"
    echo "$usage"
    exit 1
fi

## GET ARGS
while getopts p:t: opts; do
   case ${opts} in
      p) PROFILE=${OPTARG} ;;
      t) TOKEN=${OPTARG} ;;
      :) printf "missing argument for -%s\n" "$OPTARG" >&2
         echo "$usage"
         exit 1
         ;;
      \?) printf "illegal option: -%s\n" "$OPTARG" >&2
          echo "$usage"
          exit 1
          ;;
   esac
done

## Check if jq and aws cli are installed
which aws | grep -o aws > /dev/null || cecho "RED" "AWS cli is not installed" && exit 1
which jq | grep -o jq > /dev/null || cecho "RED" "JQ is not installed" && exit 1

aws --profile ${PROFILE} sts get-session-token --serial-number ${SERIAL_NUMBER} --token-code ${TOKEN} > .creds_tmp.json

cecho "GREEN" "[*] Formatting credentials"

AWS_KEY=$(jq -r '.Credentials.AccessKeyId' < .creds_tmp.json)
cecho "GREEN" "[*] Key generated successfully!"
AWS_SECRET=$(jq -r '.Credentials.SecretAccessKey' < .creds_tmp.json)
cecho "GREEN" "[*] Secret generated successfully!"
AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' < .creds_tmp.json)
cecho "GREEN" "[*] Session token generated successfully!"
EXPIRATION=$(jq -r '.Credentials.Expiration' < .creds_tmp.json)

rm -fr .creds_tmp.json

cecho "GREEN" "[*] Generating profile"


if grep -RP '\['${PROFILE}'_sts\]' ${CREDS_FILE}
then
    cecho "YELLOW" "[*] Profile found"
    cecho "GREEN" "[*] Re-generating profile on ${CREDS_FILE}"
    sed -r -i -e ':a;N;$!ba;s~(\['${PROFILE}'_sts\]\n)(aws_access_key_id\s*=\s*)([A-Z0-9]{1,})\n(aws_secret_access_key\s*=\s*)([A-Za-z0-9\/\+\=]{1,})\n(aws_session_token\s*=\s*)([A-Za-z0-9\/\+\=]{1,})~\1\2'${AWS_KEY}'\n\4'${AWS_SECRET}'\n\6'${AWS_SESSION_TOKEN}'~g' ${CREDS_FILE}
    cecho "GREEN" "[*] Replaced as \"${PROFILE}_sts\" on ${CREDS_FILE}"
else
    cecho "YELLOW" "[*] Profile not found"
    cecho "GREEN" "[*] Adding to ${CREDS_FILE}"
    echo -n """
[${PROFILE}_sts]
aws_access_key_id=${AWS_KEY}
aws_secret_access_key=${AWS_SECRET}
aws_session_token=${AWS_SESSION_TOKEN}
""" >> "$CREDS_FILE"
    cecho "GREEN" "[*] Added as \"${PROFILE}_sts\" on ${CREDS_FILE}"
fi

cecho "GREEN" "[*] You now can use AWS cli with profile [${PROFILE}_sts], credentials will expire on:" && cecho "YELLOW" "[*] -----> ${EXPIRATION}"