Created
September 19, 2018 16:05
-
-
Save geerlingguy/0a524082674e72132b1dea44df275cbb to your computer and use it in GitHub Desktop.
AWS STS Token update playbook for MFA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ansible-playbook -c local | |
| # | |
| # AWS STS token update playbook. | |
| # | |
| # Updating AWS session tokens with STS can be a pain. But MFA is good. So let's | |
| # automate the management of the .aws/credentials file to make it not painful! | |
| # | |
| # Usage: | |
| # | |
| # 1. Save this to a file like /usr/local/bin/aws-sts-token | |
| # 2. Make the file executable (chmod +x /usr/local/bin/aws-sts-token) | |
| # 3. Run the command: | |
| # | |
| # ./aws-sts-token -e aws_userarn=ARN_FROM_IAM -e aws_profile=PROFILE -e aws_sts_profile=STS_PROFILE -e token_code=TOKEN | |
| # | |
| # Options: | |
| # - ARN_FROM_IAM: Your AWS user account ARN, like "arn:aws:iam::241312619141:mfa/geerlingguy" | |
| # - PROFILE: AWS credentials profile, like "personal" | |
| # - STS_PROFILE: AWS credentials profile for STS, like "default" | |
| # - TOKEN: One-time token from your MFA device | |
| # | |
| # For even more awesome, add to your bash .profile: | |
| # | |
| # # AWS STS Token. | |
| # function awssts() { | |
| # if [[ ! "$1" ]] ; then | |
| # echo "You must supply a token code." | |
| # return 0 | |
| # fi | |
| # | |
| # aws-sts-token -e aws_userarn=ARN_FROM_IAM -e aws_profile=PROFILE -e aws_sts_profile=STS_PROFILE -e token_code=$1 | |
| # return 0 | |
| # } | |
| # | |
| # Then you can just run `awssts TOKEN` and it will update your profile. | |
| --- | |
| - hosts: localhost | |
| become: no | |
| gather_facts: no | |
| vars: | |
| aws_userarn: '' | |
| aws_profile: '' | |
| aws_sts_profile: '' | |
| token_code: '' | |
| tasks: | |
| - name: Get STS session token. | |
| command: aws sts get-session-token --serial-number {{ aws_userarn }} --profile {{ aws_profile }} --token-code {{ token_code }} | |
| register: sts_session_creds | |
| - debug: var=(sts_session_creds.stdout|from_json) | |
| - name: Print session token. | |
| set_fact: | |
| secret_access_key: "{{ (sts_session_creds.stdout|from_json)['Credentials']['SecretAccessKey'] }}" | |
| session_token: "{{ (sts_session_creds.stdout|from_json)['Credentials']['SessionToken'] }}" | |
| access_key_id: "{{ (sts_session_creds.stdout|from_json)['Credentials']['AccessKeyId'] }}" | |
| expiration: "{{ (sts_session_creds.stdout|from_json)['Credentials']['Expiration'] }}" | |
| - name: Print token expiration date | |
| debug: | |
| msg: "Token expires at {{ expiration }}" | |
| - name: Print all the credentials for debug (only with -vv). | |
| debug: | |
| var: "{{ item }}" | |
| verbosity: 2 | |
| with_items: | |
| - access_key_id | |
| - secret_access_key | |
| - session_token | |
| - name: Update credentials in .aws/credentials file. | |
| blockinfile: | |
| path: ~/.aws/credentials | |
| marker: "# ANSIBLE MANAGED PROFILE: {{ aws_sts_profile }} {mark}" | |
| insertafter: EOF | |
| backup: yes | |
| block: | | |
| [{{ aws_sts_profile }}] | |
| aws_access_key_id={{ access_key_id }} | |
| aws_secret_access_key={{ secret_access_key }} | |
| aws_session_token={{ session_token }} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment