Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Prints the exports required to install an AWS Role's temporary keys to stdout
#!/usr/bin/env python
import socket
import json
import sys
import os
import re
from subprocess import Popen, PIPE
from pprint import pprint
def run_shell(cmd):
p = Popen(cmd, stdout=PIPE)
stdout, stderr = p.communicate()
if p.returncode != 0:
return stdout
usage = "Usage: get-role-token <role> <mfa-token>"
role = sys.argv[1] if len(sys.argv) > 1 else sys.exit(usage)
token = sys.argv[2] if len(sys.argv) > 2 else sys.exit(usage)
user = json.loads(run_shell(["aws", "iam", "get-user"]))
match = re.compile("arn\:aws\:iam\:\:(\d+):.*").match(user["User"]["Arn"])
account_number =
token = json.loads(run_shell(["aws", "sts", "assume-role",
"--role-arn", "arn:aws:iam::{}:role/{}".format(account_number, role),
"--role-session-name", "cli.user-{}".format(user["User"]["UserName"]),
"--serial-number", "arn:aws:iam::{}:mfa/{}".format(account_number, user["User"]["UserName"]),
"--token-code", "{}".format(token)]))
print "export {}=\"{}\"".format("AWS_ACCESS_KEY_ID", token["Credentials"]["AccessKeyId"])
print "export {}=\"{}\"".format("AWS_SECRET_ACCESS_KEY", token["Credentials"]["SecretAccessKey"])
print "export {}=\"{}\"".format("AWS_SESSION_TOKEN", token["Credentials"]["SessionToken"])
print "export {}=\"{}\"".format("AWS_SECURITY_TOKEN", token["Credentials"]["SessionToken"])
print "export {}=\"{}\"".format("AWS_ROLE_EXPIRATION", token["Credentials"]["Expiration"])
print "export {}=\"{}\"".format("AWS_ROLE_NAME", role)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment