Script to create a contractor group and multiple users on an AWS account

create-contractor-accounts.sh

#!/bin/bash

# Check if at least two arguments are provided (group name and at least one user)
if [ "$#" -lt 2 ]; then
    echo "Usage: $0 <GroupName> <User1> [<User2> ...]"
    exit 1
fi

# The first argument is the group name
GROUP="$1"

# Remove the first argument (group name) and keep the rest as users
shift
USERS="$@"

# Echo fetching account ID
echo "Fetching AWS Account ID..."
ACCOUNT_ID=$(aws sts get-access-key-info --access-key-id $AWS_ACCESS_KEY_ID --query 'Account' --output text --no-cli-pager)
echo "AWS Account ID: $ACCOUNT_ID"

# AWS Management Console URL with account ID
AWS_CONSOLE_URL="https://${ACCOUNT_ID}.signin.aws.amazon.com/console"

# CSV output file
CSV_FILE="aws_users.csv"

# Check if the group exists
echo "Checking if group $GROUP exists..."
aws iam get-group --group-name $GROUP --no-cli-pager > /dev/null 2>&1
if [ $? -ne 0 ]; then
    echo "Creating group $GROUP..."
    aws iam create-group --group-name $GROUP --no-cli-pager

    # Attach the PowerUserAccess policy to the group
    echo "Attaching PowerUserAccess policy to $GROUP..."
    aws iam attach-group-policy --group-name $GROUP --policy-arn arn:aws:iam::aws:policy/PowerUserAccess --no-cli-pager
else
    echo "Group $GROUP already exists."
fi

# Check and create the ManageOwnAccessKeys policy if it does not exist
policy_name="ManageOwnAccessKeys"
policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`'"$policy_name"'`].Arn' --output text)

if [ -n "$policy_arn" ]; then
    echo "Policy $policy_name already exists."
else
    echo "Creating policy $policy_name..."
    policy_document='{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "ManageOwnAccessKeys",
                "Effect": "Allow",
                "Action": [
                    "iam:CreateAccessKey",
                    "iam:DeleteAccessKey",
                    "iam:GetAccessKeyLastUsed",
                    "iam:GetUser",
                    "iam:ListAccessKeys",
                    "iam:UpdateAccessKey",
                    "iam:TagUser"
                ],
                "Resource": "arn:aws:iam::*:user/${aws:username}"
            }
        ]
    }'
    policy_arn=$(aws iam create-policy --policy-name "$policy_name" --policy-document "$policy_document" --query 'Policy.Arn' --output text)
    echo "Policy $policy_name created with ARN $policy_arn."
fi

# Attach the ManageOwnAccessKeys policy to the group
echo "Attaching $policy_name policy to $GROUP..."
aws iam attach-group-policy --group-name $GROUP --policy-arn "$policy_arn" --no-cli-pager

# Create CSV header
echo "Login URL,Username,Password" > $CSV_FILE

# Loop through each user and create them
for USER in $USERS; do
    # Generate a unique password for each user that includes at least one number and one symbol
    PASSWORD_BASE=$(openssl rand -base64 10) # Generate a base password
    PASSWORD="${PASSWORD_BASE}1!" # Append a number and a symbol to meet policy requirements

    echo "Creating user $USER..."
    aws iam create-user --user-name $USER --no-cli-pager

    echo "Setting default password and enabling console login for $USER..."
    aws iam create-login-profile --user-name $USER --password "$PASSWORD" --password-reset-required --no-cli-pager

    echo "Adding $USER to $GROUP..."
    aws iam add-user-to-group --user-name $USER --group-name $GROUP --no-cli-pager

    # Append user details to CSV
    echo "$AWS_CONSOLE_URL,$USER,$PASSWORD" >> $CSV_FILE
done

echo "All users created and added to the group. CSV file generated at $CSV_FILE."