afunsten/get_s3_file_ecs.sh

## get_s3_file_ecs.sh
#!/bin/bash
# https://gist.github.com/afunsten
# https://gist.github.com/davidejones/d05f51df75e659111227

#requirements
type jq
type openssl

while getopts :b:f:o:r: option; do
    case "${option}" in
    	b) bucket="${OPTARG}";;
        f) file="${OPTARG}";;
        o) outputfullpath="${OPTARG}";;
        r) region="${OPTARG}";;
    esac
done

#defaults
: "${bucket:=some-bucket-default}"
: "${file:=some-file-key-path-default}"
: "${outputfullpath:=./get_s3_file_output}"
: "${region:=}"

#ECS role way...
ecscreds=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
RoleArn=$(jq -r '.RoleArn' <<< "$ecscreds")
aws_access_key_id=$(jq -r '.AccessKeyId' <<< "$ecscreds")
aws_secret_access_key=$(jq -r '.SecretAccessKey' <<< "$ecscreds")
token=$(jq -r '.Token' <<< "$ecscreds")

#EC2 role way...
#instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
#aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
#aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
#token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | sed -n '/Token/{p;}' | cut -f4 -d'"'`

date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
resource="${bucket}/${file}"
signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
signature=`/bin/echo -en "${signature_string}" | /usr/bin/openssl sha1 -hmac ${aws_secret_access_key} -binary | base64`
authorization="AWS ${aws_access_key_id}:${signature}"
echo "Getting https://s3${region}.amazonaws.com/${resource} using $RoleArn"
curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"

md5sum ${outputfullpath}

#Troubleshooting
#ls -la ${outputfullpath}
#echo curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
#cat ${outputfullpath}
#echo AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
#echo instance_profile: "$instance_profile"
#echo ecscreds: "$ecscreds"
#echo aws_access_key_id: "$aws_access_key_id"
#echo aws_secret_access_key: "$aws_secret_access_key"
#echo token: "$token"
#echo date: "$date"
#echo signature_string: "$signature_string"
#echo signature: "$signature"
#echo authorization: "$authorization"

# for encrpted files  you also need these headers ...
# -H "x-amz-server-side-encryption-customer-algorithm: AES256"
# -H "x-amz-server-side-encryption-customer-key: yourstring"
# -H "x-amz-server-side-encryption-customer-key-MD5: yourstring"
#https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
	#!/bin/bash
	# https://gist.github.com/afunsten
	# https://gist.github.com/davidejones/d05f51df75e659111227

	#requirements
	type jq
	type openssl

	while getopts :b:f:o:r: option; do
	case "${option}" in
	b) bucket="${OPTARG}";;
	f) file="${OPTARG}";;
	o) outputfullpath="${OPTARG}";;
	r) region="${OPTARG}";;
	esac
	done

	#defaults
	: "${bucket:=some-bucket-default}"
	: "${file:=some-file-key-path-default}"
	: "${outputfullpath:=./get_s3_file_output}"
	: "${region:=}"

	#ECS role way...
	ecscreds=$(curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
	RoleArn=$(jq -r '.RoleArn' <<< "$ecscreds")
	aws_access_key_id=$(jq -r '.AccessKeyId' <<< "$ecscreds")
	aws_secret_access_key=$(jq -r '.SecretAccessKey' <<< "$ecscreds")
	token=$(jq -r '.Token' <<< "$ecscreds")

	#EC2 role way...
	#instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
	#aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep AccessKeyId \| cut -d':' -f2 \| sed 's/[^0-9A-Z]*//g'`
	#aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep SecretAccessKey \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`
	#token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| sed -n '/Token/{p;}' \| cut -f4 -d'"'`

	date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
	resource="${bucket}/${file}"
	signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
	signature=`/bin/echo -en "${signature_string}" \| /usr/bin/openssl sha1 -hmac ${aws_secret_access_key} -binary \| base64`
	authorization="AWS ${aws_access_key_id}:${signature}"
	echo "Getting https://s3${region}.amazonaws.com/${resource} using $RoleArn"
	curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"

	md5sum ${outputfullpath}

	#Troubleshooting
	#ls -la ${outputfullpath}
	#echo curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
	#cat ${outputfullpath}
	#echo AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
	#echo instance_profile: "$instance_profile"
	#echo ecscreds: "$ecscreds"
	#echo aws_access_key_id: "$aws_access_key_id"
	#echo aws_secret_access_key: "$aws_secret_access_key"
	#echo token: "$token"
	#echo date: "$date"
	#echo signature_string: "$signature_string"
	#echo signature: "$signature"
	#echo authorization: "$authorization"

	# for encrpted files you also need these headers ...
	# -H "x-amz-server-side-encryption-customer-algorithm: AES256"
	# -H "x-amz-server-side-encryption-customer-key: yourstring"
	# -H "x-amz-server-side-encryption-customer-key-MD5: yourstring"
	#https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html