Last active
October 3, 2019 08:03
-
-
Save avoidik/436b44a571e0c646ad2b89dda091c13d to your computer and use it in GitHub Desktop.
AWS IAM assume role, save profile and inject credentials into env
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
CREDS_PROFILE="test" | |
THIS_ROLE="arn:aws:iam::123456789012:role/role-to-assume" | |
THIS_PROFILE="test-assumed" | |
rm -rf ~/.aws/cli/cache | |
# Variant A | |
source <(aws --profile "${CREDS_PROFILE}" sts assume-role \ | |
--role-arn "${THIS_ROLE}" \ | |
--role-session-name "${THIS_PROFILE}-session" | \ | |
jq --arg profile "${THIS_PROFILE}" -r '.Credentials | @sh "aws --profile \($profile) configure set aws_access_key_id \(.AccessKeyId)\naws --profile \($profile) configure set aws_secret_access_key \(.SecretAccessKey)\naws --profile \($profile) configure set aws_session_token \(.SessionToken)\n"') | |
# Variant B | |
aws --profile "${CREDS_PROFILE}" sts assume-role \ | |
--role-arn "${THIS_ROLE}" \ | |
--role-session-name "${THIS_PROFILE}-session" | \ | |
jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\n"' | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# requires: awscli jq | |
# | |
# for env_var in $(printenv | grep 'AWS_.*' | cut -d '=' -f 1); do unset $env_var; done | |
# | |
# export AWS_MFA_ARN="arn:aws:iam::334291217281:mfa/device-name" | |
# export AWS_MFA_ROLE_ARN="arn:aws:iam::123456789012:role/role-to-assume" | |
# export AWS_ACCESS_KEY_ID="..." | |
# export AWS_SECRET_ACCESS_KEY="..." | |
# | |
# set -euo pipefail | |
TOKEN_DURATION=1800 | |
main() { | |
local role_arn="${AWS_MFA_ROLE_ARN:-}" | |
local serial_number="${AWS_MFA_ARN:-}" | |
local token_code | |
if [ -z "${role_arn}" ]; then | |
echo "Set the AWS_MFA_ROLE_ARN environment variable" 1>&2 | |
return 1 | |
fi | |
if [ -z "${serial_number}" ]; then | |
echo "Set the AWS_MFA_ARN environment variable" 1>&2 | |
return 1 | |
fi | |
if [ -z "${AWS_ACCESS_KEY_ID}" ]; then | |
echo "Set the AWS_ACCESS_KEY_ID environment variable" 1>&2 | |
return 1 | |
fi | |
if [ -z "${AWS_SECRET_ACCESS_KEY}" ]; then | |
echo "Set the AWS_SECRET_ACCESS_KEY environment variable" 1>&2 | |
return 1 | |
fi | |
echo -n "Enter MFA Code: "; read -r token_code | |
unset AWS_SESSION_TOKEN | |
unset AWS_PROFILE | |
sts_creds="$(aws \ | |
sts get-session-token \ | |
--duration-seconds ${TOKEN_DURATION} \ | |
--serial-number="${serial_number}" \ | |
--token-code "${token_code}" \ | |
--output json | |
)" | |
if [ -z "${sts_creds}" ]; then | |
echo "No valid data returned from get-session-token!" 1>&2 | |
return 1 | |
fi | |
export AWS_ACCESS_KEY_ID=$(echo ${sts_creds} | jq -r '.Credentials.AccessKeyId') | |
export AWS_SECRET_ACCESS_KEY=$(echo ${sts_creds} | jq -r '.Credentials.SecretAccessKey') | |
export AWS_SESSION_TOKEN=$(echo ${sts_creds} | jq -r '.Credentials.SessionToken') | |
role_creds="$(aws \ | |
sts assume-role \ | |
--duration-seconds ${TOKEN_DURATION} \ | |
--role-arn="${role_arn}" \ | |
--role-session-name="terraform-access" \ | |
--output json | |
)" | |
if [ -z "${role_creds}" ]; then | |
echo "No valid data returned from assume-role!" 1>&2 | |
return 1 | |
fi | |
cat << EOF > .token | |
export "AWS_ACCESS_KEY_ID=$(echo "${role_creds}" | jq -re '.Credentials.AccessKeyId')" | |
export "AWS_SECRET_ACCESS_KEY=$(echo "${role_creds}" | jq -re '.Credentials.SecretAccessKey')" | |
export "AWS_SESSION_TOKEN=$(echo "${role_creds}" | jq -re '.Credentials.SessionToken')" | |
EOF | |
} | |
main "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment