aws-assume.sh

#!/bin/bash -e

#
# Use it like this:
#
# $(aws-assume.sh NameOfRole)
# With an entry in ~/.aws/config that looks something like this:
#
# [profile dev]
# region = us-west-2
# role_arn = arn:aws:iam::34234234234:role/DevAccess
# source_profile = default
#

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

PROFILE=$1

if [ -z "$PROFILE" ]
then
  echo "Usage: $0 <role>" >&2
  exit 1
fi

ROLE=$(egrep '^role_arn' ~/.aws/config|grep $PROFILE|sed -e 's/role_arn[[:space:]]*=[[:space:]]*//')

if [ $(echo $ROLE|wc -w) -ne 1 ]
then
  echo "Couldn't match single role_arn from ~/.aws/config: $ROLE" >&2
  exit 1
fi

echo "Assuming $ROLE" >&2

CREDS=$(aws sts assume-role \
  --role-arn $ROLE \
  --role-session-name command-line \
  --query '[Credentials.SessionToken,Credentials.AccessKeyId,Credentials.SecretAccessKey]' \
  --output text)

echo export AWS_ACCESS_KEY_ID=$(echo $CREDS|awk '{print $2}')
echo export AWS_SECRET_ACCESS_KEY=$(echo $CREDS|awk '{print $3}')
echo export AWS_SESSION_TOKEN=$(echo $CREDS|awk '{print $1}')