-
-
Save gijoehosaphat/e755fe063123173c4d7a67f29b44b70c to your computer and use it in GitHub Desktop.
aws-vault yubikey bash helpers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# - install the Yubico authenticator app | |
# - install ykman | |
# - setup your yubikey as a virtual MFA device in AWS, and | |
# - install and setup AWS vault | |
# - place the following in your ~/.bash_profile (or whatever the appropriate profile file is) | |
# - run source ~/.bash_profile or open a new shell | |
# load temp AWS credentials in your current shell: `aws_auth <profile>` | |
# login to AWS console with temp credentials: `aws_login <profile` | |
# I also like to add the vault name to my shell prompt: \033[0;31m[\$AWS_VAULT]\033[0m | |
# get the name of the profile from the output of `ykman oath list` | |
YUBIKEY_PROFILE="REPLACE ME" | |
_aws_unset() { | |
unset AWS_SESSION_TOKEN | |
unset AWS_VAULT | |
unset AWS_SECRET_ACCESS_KEY | |
unset AWS_ACCESS_KEY_ID | |
unset AWS_SECURITY_TOKEN | |
} | |
_aws_check_profile() { | |
if [ $# -eq 0 ] | |
then | |
echo "Must pass aws-vault profile name" | |
return 1 | |
fi | |
grep -qw "^\[profile $1\]$" <~/.aws/config | |
if [ $? -gt 0 ]; then | |
echo "Profile $1 not found in aws config" | |
return 1 | |
fi | |
} | |
_aws_vault_export() { | |
aws-vault exec --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1 -- env | grep ^AWS | sed -e 's/^/export\ /' | |
# Use this line to keep a 12hr token instead of the default short token length. | |
# aws-vault exec --no-session -d 12h --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1 -- env | grep ^AWS | sed -e 's/^/export\ /' | |
} | |
aws_auth(){ | |
_aws_check_profile $1 | |
if [ $? -gt 0 ]; then | |
return $? | |
fi | |
_aws_unset | |
eval "$(_aws_vault_export $1)" | |
} | |
aws_login() { | |
_aws_check_profile $1 | |
if [ $? -gt 0 ]; then | |
return $? | |
fi | |
aws-vault login --mfa-token $(ykman oath accounts code --single "$YUBIKEY_PROFILE") $1 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment