Created
April 10, 2020 14:19
-
-
Save enriquemanuel/1362607c815cd4c58db3109df0ee287e to your computer and use it in GitHub Desktop.
SocksProxy that uses SSH Config to SSH via SSM to an AWS Instance to not use SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| bold=$(tput bold) | |
| normal=$(tput sgr0) | |
| USAGE=$(cat <<-END | |
| source ./issue_mfa.sh [AWS_USERNAME] [MFA_TOKEN] | |
| Issues an aws security token and sets it automatically. | |
| If added the -v flag it will echos AWS_SECRET_ACCESS_KEY, | |
| AWS_ACCESS_KEY_ID, AWS_SECURITY_TOKEN, and AWS_SESSION_TOKEN | |
| as exports you can set in your shell. | |
| AWS_USERNAME is case-sensitive. | |
| END | |
| ) | |
| # safety check for source | |
| # https://stackoverflow.com/questions/2683279/how-to-detect-if-a-script-is-being-sourced | |
| if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then | |
| echo "${bold}ERROR:${normal} Check that you are properly sourcing the script" | |
| echo | |
| echo "This script should be run as:" | |
| echo "$ ${bold}source${normal} ./issue_mfa.sh [AWS_USERNAME] [MFA_TOKEN] " | |
| exit 1 | |
| fi | |
| if ! [ -x "$(command -v jq)" ]; then | |
| echo 'Error: jq is not installed.' >&2 | |
| echo 'Try: brew install jq' >&2 | |
| return 1 | |
| fi | |
| if ! [ -x "$(command -v aws)" ]; then | |
| echo 'Error: aws-cli is not installed.' >&2 | |
| echo 'Try: brew install awscli' >&2 | |
| return 1 | |
| fi | |
| if [[ $1 == "-h" ]]; then | |
| echo "$USAGE" | |
| return 0 | |
| fi | |
| if [[ $# -ne 2 && $# -ne 3 ]]; then | |
| echo "$USAGE" >&2 | |
| return 1 | |
| fi | |
| unset AWS_ACCESS_KEY_ID | |
| unset AWS_SECRET_ACCESS_KEY | |
| unset AWS_SECURITY_TOKEN | |
| unset AWS_SESSION_TOKEN | |
| #shellcheck disable=SC2086 | |
| if ! aws_out="$(aws sts get-session-token --output json --serial-number arn:<region>:iam::<account number>:mfa/$1 --token-code $2)"; then | |
| echo -e "${bold}ERROR:${normal} Could not set AWS Sessions. Read error above..." | |
| else | |
| aws_id=$(echo $aws_out | jq -r .Credentials.AccessKeyId) | |
| aws_secret=$(echo $aws_out | jq -r .Credentials.SecretAccessKey) | |
| aws_session=$(echo $aws_out | jq -r .Credentials.SessionToken) | |
| export AWS_ACCESS_KEY_ID=$aws_id | |
| export AWS_SECRET_ACCESS_KEY=$aws_secret | |
| export AWS_SECURITY_TOKEN=$aws_session | |
| export AWS_SESSION_TOKEN=$aws_session | |
| echo "${bold}AWS Session credentials saved. Will expire in 12 hours${normal}" | |
| if [[ $3 == "-v" ]]; then | |
| echo " export AWS_ACCESS_KEY_ID=$aws_id" | |
| echo " export AWS_SECRET_ACCESS_KEY=$aws_secret" | |
| echo " export AWS_SECURITY_TOKEN=$aws_session" | |
| echo " export AWS_SESSION_TOKEN=$aws_session" | |
| fi | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # shellcheck disable=SC2006,SC2009,SC1091,SC2129,SC2126 | |
| socks_kill_cmd="pkill -f \"ssh -o LogLevel=error i-*\"" | |
| socks_ps_count=`ps -fea | grep -e 'ssh i-*' -e '-D 2001'| grep -v grep | wc -l`; | |
| [ $socks_ps_count -eq 0 ] && echo "socks are OFF" || echo "socks are ON"; | |
| if [ $# -eq 0 ]; then | |
| exit 0; | |
| else | |
| if [ $1 == "on" ]; then | |
| echo "Enabling SOCKS..." | |
| if [ $# -ne 3 ]; then | |
| echo "Error: Need aws username and token" | |
| exit 1 | |
| else | |
| echo "Getting mfa..." | |
| if ! source issue_mfa "$2" "$3"; then | |
| echo "Error: MFA error. Read above." | |
| exit 1 | |
| fi | |
| echo "(re)starting socks..."; | |
| eval $socks_kill_cmd; | |
| app_env="prod" | |
| app_name="ssmproxy" # new naming convention | |
| # insert each instance to the array when finding them | |
| # we have to ssm proxy to balance the traffic of our users | |
| for instance_id in $(aws ec2 describe-instances \ | |
| --filters "Name=instance-state-name,Values=running" \ | |
| "Name=tag:Name,Values=*${app_name}-${app_env}*" \ | |
| --query 'Reservations[*].Instances[*].[InstanceId]' --output text); do | |
| instance_ids+=(${instance_id}) | |
| done | |
| # randomly give one of the 2 instances | |
| instance_id=${instance_ids[RANDOM%${#instance_ids[@]}]} | |
| socks_start_cmd="ssh -o LogLevel=error ${instance_id} -D 2001 -N"; | |
| eval $socks_start_cmd & disown; | |
| exit 0; | |
| fi | |
| else | |
| if [ $# -eq 1 ] && [ $1 == "off" ]; then | |
| echo "Stopping socks..."; | |
| eval $socks_kill_cmd; | |
| exit 0; | |
| else | |
| echo "Usage: socks [on|off]"; | |
| exit 1; | |
| fi; | |
| fi; | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host i-* | |
| ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" | |
| ForwardAgent yes | |
| User <user id> | |
| IdentityFile <id file> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment