aws-vault yubikey bash helpers

helpers.sh

# - install the Yubico authenticator app
# - install ykman
# - setup your yubikey as a virtual MFA device in AWS, and
# - install and setup AWS vault
# - place the following in your ~/.bash_profile (or whatever the appropriate profile file is)
# - run source ~/.bash_profile or open a new shell
# load temp AWS credentials in your current shell: `aws_auth <profile>`
# login to AWS console with temp credentials: `aws_login <profile`
# I also like to add the vault name to my shell prompt: \033[0;31m[\$AWS_VAULT]\033[0m

# get the name of the profile from the output of `ykman oath list`
YUBIKEY_PROFILE="REPLACE ME"

_aws_unset() {
  unset AWS_SESSION_TOKEN
  unset AWS_VAULT
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_ACCESS_KEY_ID
  unset AWS_SECURITY_TOKEN
}

_aws_check_profile() {
  if [ $# -eq 0 ]
  then
    echo "Must pass aws-vault profile name"
    return 1
  fi

  grep -qw "^\[profile $1\]$" <~/.aws/config
  if [ $? -gt 0 ]; then
    echo "Profile $1 not found in aws config"
    return 1
  fi
}

_aws_vault_export() {
   aws-vault exec --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1 -- env | grep ^AWS | sed -e 's/^/export\ /'
   # Use this line to keep a 12hr token instead of the default short token length.
   # aws-vault exec --no-session -d 12h --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1 -- env | grep ^AWS | sed -e 's/^/export\ /'
}

aws_auth(){
  _aws_check_profile $1

  if [ $? -gt 0 ]; then
    return $?
  fi

  _aws_unset
  eval "$(_aws_vault_export $1)"
}


aws_login() {
  _aws_check_profile $1

  if [ $? -gt 0 ]; then
    return $?
  fi

  aws-vault login --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1
}