Created
May 27, 2020 10:24
-
-
Save alexandrusavin/63b96fa7c146c7c28a849b2327fb3d63 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| SCRIPT=$(basename "$0") | |
| exitWithError () { | |
| echo -e "$1" 1>&2 | |
| exit 1 | |
| } | |
| usage () { | |
| cat <<HELP_USAGE | |
| Usage: | |
| ${SCRIPT} [options] appName1 appName2 | |
| Options: | |
| -d | --opDomain Sets the name of the 1Password domain (Required). | |
| -s | --opSessionKey Sets the 1Password session key. If not passed, op will ask for the password | |
| ex: ${SCRIPT} -d myDomain --opSessionKey XLC6cHkeSHByBqrikXt36fdMVLLdHuoACNFUrNMuRXQ appName | |
| -i | --opItem Sets the id of the 1Password item that holds the Okta password and OTP (defaults to Okta) | |
| ex: ${SCRIPT} -d myDomain --opItem SomeItemId appName | |
| -h | --help Show this help message. | |
| HELP_USAGE | |
| exit 0 | |
| } | |
| APPS=() | |
| while [[ $# -gt 0 ]] | |
| do | |
| key="$1" | |
| case $key in | |
| -s | --opSessionKey) | |
| OP_SESSION_KEY="$2" | |
| shift 2 | |
| ;; | |
| -i | --opItem) | |
| OP_ITEM="$2" | |
| shift 2 | |
| ;; | |
| -d | --opDomain) | |
| OP_DOMAIN="$2" | |
| shift 2 | |
| ;; | |
| -h | --help) | |
| usage | |
| ;; | |
| -*) | |
| usage | |
| ;; | |
| *) | |
| APPS+=($1) | |
| shift | |
| ;; | |
| esac | |
| done | |
| if [[ ${#APPS[@]} == 0 ]] | |
| then | |
| usage | |
| fi | |
| if [[ "${OP_DOMAIN}" == "" ]]; then usage; fi | |
| if [[ $(command -v op) == "" ]]; then exitWithError "Error: \`op\` program not found"; fi | |
| if [[ $(command -v saml2aws) == "" ]]; then exitWithError "Error: \`clisso\` program not found"; fi | |
| if [[ $(command -v jq) == "" ]]; then exitWithError "Error: \`jq\` program not found"; fi | |
| if [[ "${OP_SESSION_KEY}" == "" ]]; then OP_SESSION_KEY=$(op signin --output=raw) || exit $?; fi | |
| eval "export OP_SESSION_${OP_DOMAIN}=${OP_SESSION_KEY}" | |
| if [[ "${OP_ITEM}" == "" ]]; then OP_ITEM="Okta"; fi | |
| printf '"Getting Okta password..."\n' | |
| export SAML2AWS_PASSWORD=$(op get item ${OP_ITEM} | jq -r '.details.fields[] | select(.name=="password").value') | |
| export SAML2AWS_USERNAME=$(op get item ${OP_ITEM} | jq -r '.details.fields[] | select(.name=="username").value') | |
| export SAML2AWS_MFA="TOTP" | |
| if [[ ${SAML2AWS_PASSWORD} == "" ]]; then | |
| exitWithError "Could not retrieve Okta password. Please make sure that you have an item called exactly \`$OP_ITEM\` in your 1Password account." | |
| exit 1 | |
| fi | |
| for (( i=0; i < ${#APPS[@]}; i+=1 )) | |
| do | |
| printf '\n"Getting a new one-time password..."\n' | |
| export SAML2AWS_MFA_TOKEN=$(op get totp ${OP_ITEM}) | |
| printf '"Getting credentials for %s usign %s MFA token..."\n' ${APPS[i]} ${SAML2AWS_MFA_TOKEN} > /dev/null | |
| saml2aws login -a ${APPS[i]} --force --skip-prompt | |
| if [[ ${i} < $((${#APPS[@]} - 1)) ]] | |
| then | |
| printf '\n"Waiting 30 sec before asking for a new one-time password..."\n' | |
| sleep 30 | |
| fi | |
| done | |
| printf '\n"Signing out of op..."\n' | |
| op signout | |
| printf '"Done!"\n' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment