Created
June 25, 2023 13:15
-
-
Save discorev/048767f20acf8dc374b2a8acd6441140 to your computer and use it in GitHub Desktop.
Setup script to add YubiKey as a virtual-mfa device to AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| POSITIONAL=() | |
| while [[ $# -gt 0 ]] | |
| do | |
| key="$1" | |
| case $key in | |
| -p|--profile) | |
| AWS_PROFILE="$2" | |
| shift # past argument | |
| shift # past value | |
| ;; | |
| *) # unknown option | |
| POSITIONAL+=("$1") # save it in an array for later | |
| shift # past argument | |
| ;; | |
| esac | |
| done | |
| set -- "${POSITIONAL[@]}" # restore positional parameters | |
| if [ -z "$AWS_PROFILE" ]; then | |
| AWS_PROFILE="default" | |
| fi | |
| MFA_PROFILE=${AWS_PROFILE}-mfa | |
| if [ $AWS_PROFILE = "default" ]; then | |
| MFA_PROFILE=mfa | |
| fi | |
| # Check if there is already a virtual MFA device for this user | |
| MFA_DEVICE_LIST_LENGTH=$(aws iam list-mfa-devices --query 'MFADevices[*].SerialNumber' --profile ${AWS_PROFILE} | jq -r '[.[] | select(contains("mfa"))] | length') | |
| if [ $MFA_DEVICE_LIST_LENGTH -gt 0 ]; then | |
| # Ensure the mfa profile has been activated | |
| echo "Account already has MFA devices - checking MFA is active" | |
| aws sts get-caller-identity --profile ${MFA_PROFILE} &> /dev/null | |
| if [ $? -ne 0 ]; then | |
| echo "MFA not active - please mfa authenticate the AWS \`${AWS_PROFILE}\` profile." | |
| exit 1 | |
| fi | |
| else | |
| MFA_PROFILE="" | |
| fi | |
| YUBI_DEVICE=`ykman list --serials` | |
| if [ -z "${YUBI_DEVICE}" ]; then | |
| echo "No YubiKey connected - please connect the YubiKey to setup" | |
| exit 2 | |
| fi | |
| APPLICATION=oath | |
| label=$(aws iam create-virtual-mfa-device --profile ${AWS_PROFILE} --path /yubikey/${APPLICATION}/ --virtual-mfa-device-name ${YUBI_DEVICE} --outfile ${YUBI_DEVICE}.txt --bootstrap-method Base32StringSeed | jq -r '.VirtualMFADevice.SerialNumber') | |
| if [ $? -eq 0 ]; then | |
| ykman --device $YUBI_DEVICE ${APPLICATION} accounts add -t $label `cat ${YUBI_DEVICE}.txt` | |
| rm ${YUBI_DEVICE}.txt | |
| CODE1=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label) | |
| CODE1=${CODE1:(-6)} | |
| echo $CODE1 | |
| sleep 30 | |
| CODE2=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $label) | |
| CODE2=${CODE2:(-6)} | |
| echo $CODE2 | |
| # If the account already has MFA enabled then this will need to use the current MFA profile (which must be authenticated) | |
| if [ -z "${MFA_PROFILE}" ]; then | |
| aws iam enable-mfa-device --user-name $(aws iam get-user | jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2} | |
| else | |
| aws iam enable-mfa-device --user-name $(aws iam get-user | jq -r '.User.UserName') --serial-number $label --authentication-code1 ${CODE1} --authentication-code2 ${CODE2} --profile ${MFA_PROFILE} | |
| fi | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment