avoidik/exec.sh

## exec.sh
#!/usr/bin/env bash

CREDS_PROFILE="test"
THIS_ROLE="arn:aws:iam::123456789012:role/role-to-assume"
THIS_PROFILE="test-assumed"

rm -rf ~/.aws/cli/cache

# Variant A
source <(aws --profile "${CREDS_PROFILE}" sts assume-role \
  --role-arn "${THIS_ROLE}" \
  --role-session-name "${THIS_PROFILE}-session" | \
  jq --arg profile "${THIS_PROFILE}" -r '.Credentials | @sh "aws --profile \($profile) configure set aws_access_key_id \(.AccessKeyId)\naws --profile \($profile) configure set aws_secret_access_key \(.SecretAccessKey)\naws --profile \($profile) configure set aws_session_token \(.SessionToken)\n"')

# Variant B
aws --profile "${CREDS_PROFILE}" sts assume-role \
  --role-arn "${THIS_ROLE}" \
  --role-session-name "${THIS_PROFILE}-session" | \
   jq -r '.Credentials | @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\n"'


## sts.sh
#!/usr/bin/env bash

#
# requires: awscli jq
#
# for env_var in $(printenv | grep 'AWS_.*' | cut -d '=' -f 1); do unset $env_var; done
#
# export AWS_MFA_ARN="arn:aws:iam::334291217281:mfa/device-name"
# export AWS_MFA_ROLE_ARN="arn:aws:iam::123456789012:role/role-to-assume"
# export AWS_ACCESS_KEY_ID="..."
# export AWS_SECRET_ACCESS_KEY="..."
#

# set -euo pipefail

TOKEN_DURATION=1800

main() {
    local role_arn="${AWS_MFA_ROLE_ARN:-}"
    local serial_number="${AWS_MFA_ARN:-}"
    local token_code

    if [ -z "${role_arn}" ]; then
        echo "Set the AWS_MFA_ROLE_ARN environment variable" 1>&2
        return 1
    fi

    if [ -z "${serial_number}" ]; then
        echo "Set the AWS_MFA_ARN environment variable" 1>&2
        return 1
    fi

    if [ -z "${AWS_ACCESS_KEY_ID}" ]; then
        echo "Set the AWS_ACCESS_KEY_ID environment variable" 1>&2
        return 1
    fi

    if [ -z "${AWS_SECRET_ACCESS_KEY}" ]; then
        echo "Set the AWS_SECRET_ACCESS_KEY environment variable" 1>&2
        return 1
    fi

    echo -n "Enter MFA Code: ";	read -r token_code

    unset AWS_SESSION_TOKEN
    unset AWS_PROFILE

    sts_creds="$(aws \
        sts get-session-token \
        --duration-seconds ${TOKEN_DURATION} \
        --serial-number="${serial_number}" \
        --token-code "${token_code}" \
        --output json
    )"

    if [ -z "${sts_creds}" ]; then
        echo "No valid data returned from get-session-token!" 1>&2
        return 1
    fi

    export AWS_ACCESS_KEY_ID=$(echo ${sts_creds} | jq -r '.Credentials.AccessKeyId')
    export AWS_SECRET_ACCESS_KEY=$(echo ${sts_creds} | jq -r '.Credentials.SecretAccessKey')
    export AWS_SESSION_TOKEN=$(echo ${sts_creds} | jq -r '.Credentials.SessionToken')

    role_creds="$(aws \
        sts assume-role \
        --duration-seconds ${TOKEN_DURATION} \
        --role-arn="${role_arn}" \
        --role-session-name="terraform-access" \
        --output json
    )"

    if [ -z "${role_creds}" ]; then
        echo "No valid data returned from assume-role!" 1>&2
        return 1
    fi

cat << EOF > .token
export "AWS_ACCESS_KEY_ID=$(echo "${role_creds}" | jq -re '.Credentials.AccessKeyId')"
export "AWS_SECRET_ACCESS_KEY=$(echo "${role_creds}" | jq -re '.Credentials.SecretAccessKey')"
export "AWS_SESSION_TOKEN=$(echo "${role_creds}" | jq -re '.Credentials.SessionToken')"
EOF
}

main "$@"
	#!/usr/bin/env bash

	CREDS_PROFILE="test"
	THIS_ROLE="arn:aws:iam::123456789012:role/role-to-assume"
	THIS_PROFILE="test-assumed"

	rm -rf ~/.aws/cli/cache

	# Variant A
	source <(aws --profile "${CREDS_PROFILE}" sts assume-role \
	--role-arn "${THIS_ROLE}" \
	--role-session-name "${THIS_PROFILE}-session" \| \
	jq --arg profile "${THIS_PROFILE}" -r '.Credentials \| @sh "aws --profile \($profile) configure set aws_access_key_id \(.AccessKeyId)\naws --profile \($profile) configure set aws_secret_access_key \(.SecretAccessKey)\naws --profile \($profile) configure set aws_session_token \(.SessionToken)\n"')

	# Variant B
	aws --profile "${CREDS_PROFILE}" sts assume-role \
	--role-arn "${THIS_ROLE}" \
	--role-session-name "${THIS_PROFILE}-session" \| \
	jq -r '.Credentials \| @sh "export AWS_SESSION_TOKEN=\(.SessionToken)\nexport AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\n"'
	#!/usr/bin/env bash

	#
	# requires: awscli jq
	#
	# for env_var in $(printenv \| grep 'AWS_.*' \| cut -d '=' -f 1); do unset $env_var; done
	#
	# export AWS_MFA_ARN="arn:aws:iam::334291217281:mfa/device-name"
	# export AWS_MFA_ROLE_ARN="arn:aws:iam::123456789012:role/role-to-assume"
	# export AWS_ACCESS_KEY_ID="..."
	# export AWS_SECRET_ACCESS_KEY="..."
	#

	# set -euo pipefail

	TOKEN_DURATION=1800

	main() {
	local role_arn="${AWS_MFA_ROLE_ARN:-}"
	local serial_number="${AWS_MFA_ARN:-}"
	local token_code

	if [ -z "${role_arn}" ]; then
	echo "Set the AWS_MFA_ROLE_ARN environment variable" 1>&2
	return 1
	fi

	if [ -z "${serial_number}" ]; then
	echo "Set the AWS_MFA_ARN environment variable" 1>&2
	return 1
	fi

	if [ -z "${AWS_ACCESS_KEY_ID}" ]; then
	echo "Set the AWS_ACCESS_KEY_ID environment variable" 1>&2
	return 1
	fi

	if [ -z "${AWS_SECRET_ACCESS_KEY}" ]; then
	echo "Set the AWS_SECRET_ACCESS_KEY environment variable" 1>&2
	return 1
	fi

	echo -n "Enter MFA Code: "; read -r token_code

	unset AWS_SESSION_TOKEN
	unset AWS_PROFILE

	sts_creds="$(aws \
	sts get-session-token \
	--duration-seconds ${TOKEN_DURATION} \
	--serial-number="${serial_number}" \
	--token-code "${token_code}" \
	--output json
	)"

	if [ -z "${sts_creds}" ]; then
	echo "No valid data returned from get-session-token!" 1>&2
	return 1
	fi

	export AWS_ACCESS_KEY_ID=$(echo ${sts_creds} \| jq -r '.Credentials.AccessKeyId')
	export AWS_SECRET_ACCESS_KEY=$(echo ${sts_creds} \| jq -r '.Credentials.SecretAccessKey')
	export AWS_SESSION_TOKEN=$(echo ${sts_creds} \| jq -r '.Credentials.SessionToken')

	role_creds="$(aws \
	sts assume-role \
	--duration-seconds ${TOKEN_DURATION} \
	--role-arn="${role_arn}" \
	--role-session-name="terraform-access" \
	--output json
	)"

	if [ -z "${role_creds}" ]; then
	echo "No valid data returned from assume-role!" 1>&2
	return 1
	fi

	cat << EOF > .token
	export "AWS_ACCESS_KEY_ID=$(echo "${role_creds}" \| jq -re '.Credentials.AccessKeyId')"
	export "AWS_SECRET_ACCESS_KEY=$(echo "${role_creds}" \| jq -re '.Credentials.SecretAccessKey')"
	export "AWS_SESSION_TOKEN=$(echo "${role_creds}" \| jq -re '.Credentials.SessionToken')"
	EOF
	}

	main "$@"