-
-
Save dominics/ce822810802bb8f39ecdf530ecc8bc10 to your computer and use it in GitHub Desktop.
aws-vault yubikey bash/zsh helpers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Helper script providing `ykaws-auth <profile>` and `ykaws-login <profile>` helpers | |
| # | |
| # Initial Yubikey setup: | |
| # - Install and configure Yubico Authenticator, ykman, AWS Vault | |
| # - Configure your AWS MFA device to be stored in your Yubikey | |
| # - Set a YKAWS_PROFILE environment variable to the TOTP profile name (list with `ykman oath list`) in your shell startup scripts | |
| # - You'll know you're ready when `ykman oath code --single "$YKAWS_PROFILE"` returns an MFA code | |
| # | |
| # Installing this helper: | |
| # - Put it somewhere | |
| # - Source it from your shell startup scripts | |
| # | |
| # Now you're ready to run `ykaws-auth` or `ykaws-login` | |
| if test -n "$ZSH_VERSION"; then | |
| if [[ "$ZSH_EVAL_CONTEXT" == 'toplevel' ]]; then | |
| echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2 | |
| echo "Run 'source $0' instead!" >&2 | |
| exit 2 | |
| fi | |
| elif test -n "$BASH_VERSION"; then | |
| if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then | |
| echo "You're running $0, but the correct way to use it is to source it in your current shell (so that it can create aliases for you.)" >&2 | |
| echo "Run 'source $0' instead!" >&2 | |
| exit 2 | |
| fi | |
| fi | |
| YKAWS_PROFILE=${YKAWS_PROFILE:-} | |
| if [[ -z "$YKAWS_PROFILE" ]]; then | |
| echo "You should set the $YKAWS_PROFILE environment variable before sourcing this helper" >&2 | |
| return 1 | |
| fi | |
| _ykaws_user_var() { | |
| [[ "${TERM_PROGRAM:-}" == "iTerm.app" ]] || return | |
| printf "\033]1337;SetUserVar=%s=%s\007" "$1" "$(printf "%s" "$2" | base64 | tr -d '\n')" | |
| } | |
| _ykaws_unset() { | |
| unset AWS_SESSION_TOKEN | |
| unset AWS_VAULT | |
| unset AWS_SECRET_ACCESS_KEY | |
| unset AWS_ACCESS_KEY_ID | |
| unset AWS_SECURITY_TOKEN | |
| } | |
| _ykaws_check_profile() { | |
| if [ $# -eq 0 ] | |
| then | |
| echo "Must pass aws-vault profile name" >&2 | |
| return 1 | |
| fi | |
| grep -qw "^\[profile $1\]$" <~/.aws/config | |
| if [ $? -gt 0 ]; then | |
| echo "Profile $1 not found in aws config" >&2 | |
| return 1 | |
| fi | |
| } | |
| _ykaws_export() { | |
| set -o pipefail | |
| aws-vault exec $1 --no-session --assume-role-ttl=12h -m `ykman oath code --single "$YKAWS_PROFILE" | awk '{print $NF}'` -- env | grep ^AWS | sed -e 's/^/export\ /' | |
| ret=$? | |
| set +o pipefail | |
| return $ret | |
| } | |
| ykaws-auth() { | |
| _ykaws_check_profile $1 | |
| ret=$? | |
| if [ $ret -gt 0 ]; then | |
| return $ret | |
| fi | |
| _ykaws_unset | |
| env="$(_ykaws_export $1)" | |
| ret=$? | |
| if [ $ret -gt 0 ]; then | |
| echo "Could not authenticate: this may indicate the MFA code has already been used" >&2 | |
| _ykaws_user_var ykawsvault "${AWS_VAULT:-}" | |
| return $ret | |
| fi | |
| eval "${env}" | |
| unset env | |
| _ykaws_user_var ykawsvault "${AWS_VAULT:-}" | |
| } | |
| ykaws-login() { | |
| _ykaws_check_profile $1 | |
| ret=$? | |
| if [ $ret -gt 0 ]; then | |
| return $ret | |
| fi | |
| set -o pipefail | |
| aws-vault login $1 --no-session --assume-role-ttl=12h -t `ykman oath code --single "$YKAWS_PROFILE" | awk '{print $NF}'` | |
| ret=$? | |
| set +o pipefail | |
| return $ret | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment