Skip to content

Instantly share code, notes, and snippets.

@codequokka

codequokka/get-aws-session-token.sh

Created June 7, 2022 10:24
Show Gist options
  • Save codequokka/08f4130247757418912e2dc083372e4e to your computer and use it in GitHub Desktop.
Save codequokka/08f4130247757418912e2dc083372e4e to your computer and use it in GitHub Desktop.
Download ZIP
get-aws-session-token.sh
Raw
get-aws-session-token.sh
#!/bin/bash
# get-session-token.sh
# ====================
#
# Get session token
#
# Options:
# -h Show this help
#
# Examples:
# # Without MFA
# # Switch role
# $ export AWS_PROFILE=<profile>
# $ export AWS_ROLE_ARN=arn:aws:iam::<aws-account-id>:role/<iam-role>
# $ export AWS_ROLE_SESSION_NAME=<iam-user>
# $ eval $(get-session-token.sh)
# Input duration seconds: 28800
# Input token code: <one-time-password>
#
# # With MFA
# # Only MFA
# $ export AWS_PROFILE=<profile>
# $ export AWS_SERIAL_NUMBER=arn:aws:iam::<aws-account-id>:mfa/<iam-user>
# $ eval $(get-session-token.sh)
# Input duration seconds: 28800
# Input token code: <one-time-password>
#
# # MFA & swith role
# $ export AWS_PROFILE=<profile>
# $ export AWS_SERIAL_NUMBER=arn:aws:iam::<aws-account-id>:mfa/<iam-user>
# $ export AWS_ROLE_ARN=arn:aws:iam::<aws-account-id>:role/<iam-role>
# $ export AWS_ROLE_SESSION_NAME=<iam-user>
# $ eval $(get-session-token.sh)
# Input duration seconds: 28800
# Input token code: <one-time-password>
help() {
awk 'NR > 2 {
if (/^#/) { sub("^# ?", ""); print }
else { exit }
}' "${0}"
}
check_common_requirements() {
if ! type 'aws' > /dev/null 2>&1; then
echo 'Install aws cli.' >&2
exit 1
fi
if ! type 'jq' > /dev/null 2>&1; then
echo 'Install jq command.' >&2
exit 1
fi
if [ -z "$AWS_PROFILE" ]; then
echo 'Export AWS_PROFILE.' >&2
echo '$ export AWS_PROFILE=<profile>' >&2
exit 1
fi
}
while getopts h option
do
case "$option" in
h) help; exit 0;;
\?) help; exit 1;;
esac
done
check_common_requirements
# Session token default duration seconds: 28800(8H)
duration_seconds=$((60 * 60 * 8))
read -e -r -p "Input duration seconds: " -i $duration_seconds duration_seconds
read -r -p "Input token code: " token_code
# Avoid the following error that occurs when obtaining a session token while the session token is already set
# An error occurred (AccessDenied) when calling the GetSessionToken operation:
# Cannot call GetSessionToken with session credentials
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
if [ -z "$AWS_SERIAL_NUMBER" ]; then
# Without MFA
# Siwtch role
output=$(aws sts assume-role \
--role-arn "$AWS_ROLE_ARN" \
--role-session-name "$AWS_ROLE_SESSION_NAME")
else
# With MFA
if [ -z "$AWS_ROLE_ARN" ]; then
# Only MFA
output=$(aws sts get-session-token \
--duration-seconds "$duration_seconds" \
--serial-number "$AWS_SERIAL_NUMBER" \
--token-code "$token_code")
else
# MFA and Switch Role
output=$(aws sts assume-role \
--role-arn "$AWS_ROLE_ARN" \
--role-session-name "$AWS_ROLE_SESSION_NAME" \
--serial-number "$AWS_SERIAL_NUMBER" \
--token-code "$token_code")
fi
fi
if [ $? -ne 0 ]; then
echo "Make sure your aws profile, iam role, serial number, token code are correct." >&2
exit 1
fi
aws_access_key_id=$(echo "$output" | jq -r .Credentials.AccessKeyId)
aws_secret_access_key=$(echo "$output" | jq -r .Credentials.SecretAccessKey)
aws_session_token=$(echo "$output" | jq -r .Credentials.SessionToken)
expiration=$(echo "$output" | jq -r .Credentials.Expiration)
echo "export AWS_ACCESS_KEY_ID=$aws_access_key_id"
echo "export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key"
echo "export AWS_SESSION_TOKEN=$aws_session_token"
echo "# Expiration time(UTC): $expiration" >&2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment