jekstrom/badawsv4signature

## badawsv4signature
#!/bin/bash

apiid="$1"
apiresource="$2"

rolejson=`aws sts assume-role --role-arn "<role>" --role-session-name "<sessionname>"`
aws_access_key_id=`echo -en ${rolejson} | grep -Po '"AccessKeyId":.*' | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
aws_secret_access_key=`echo -en ${rolejson} | grep -Po '"SecretAccessKey": "[^\",]*' | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
token=`echo -en ${rolejson} | grep -Po '"SessionToken": "[^\",]*' | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`

# To use ec2 instance profile:
# instance_profile=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/`
# aws_access_key_id=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyid | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
# aws_secret_access_key=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
# token=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials//${instance_profile} | sed -n '/Token/{p;}' | cut -f4 -d'"'`

sdate=$(date + '%Y%m%dT%H%M%SZ')

payload=$(echo -en "" | openssl dgst -sha256 | awk '{print $2}')
canonical="GET\n${apiresource}\n\nhost:${apiid}.execute-api.us-west-2.amazonaws.com\nx-amz-date:${sdate}\nx-amz-security-token:${token}\n\naccept;host;x-amz-date;x-amz-security-token\n${payload}"
canonicalhash=$(echo -en ${canonical} | openssl dgst -sha256 | awk '${print $2}')

dateshort=$(date '+%Y%m%d')
stringtosign="AWS4-HMAC-SHA256\n${sdate}\n${dateshort}/us-west-2/execute-api/aws4-request\n${canonicalhash}"

function hmac_sha256 {
    key="$1"
    data="$2"
    echo -n "$data" | openssl dgst -sha256 -mac HMAC -macopt "$key" | sed 's/^.* //'
}

dateKey=$(hmac_sha256 key:"AWS4$aws_secret_access_key" $dateshort)
dateRegionKey=$(hmac_sha256 hexkey:$dateKey "us-west-2")
dateRegionServiceKey=$(hmac_sha256 hexkey:$dateRegionKey "execute-api")
signaturekey=$(hmac_sha256 hexkey:$dateRegionServiceKey "aws4_request")

signature=$(echo -en $stringtosign | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signaturekey | awk -F ' ' '{print $2}')

authorization="AWS4-HMAC-SHA256 Credential=${aws_access_key_id}/${dateshort}/us-west-2/execute-api/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=${signature}"

curl -H "x-amz-date: ${sdate}" -H "x-amz-security-token: ${token}" -H "Authorization: ${authorization}" "https://${apiid}.execute-api.us-west-2.amazonaws.com${apiresource}"
	#!/bin/bash

	apiid="$1"
	apiresource="$2"

	rolejson=`aws sts assume-role --role-arn "<role>" --role-session-name "<sessionname>"`
	aws_access_key_id=`echo -en ${rolejson} \| grep -Po '"AccessKeyId":.' \| cut -d':' -f2 \| sed 's/[^0-9A-Z]//g'`
	aws_secret_access_key=`echo -en ${rolejson} \| grep -Po '"SecretAccessKey": "[^\",]' \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]//g'`
	token=`echo -en ${rolejson} \| grep -Po '"SessionToken": "[^\",]' \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]//g'`

	# To use ec2 instance profile:
	# instance_profile=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/`
	# aws_access_key_id=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/${instance_profile} \| grep AccessKeyid \| cut -d':' -f2 \| sed 's/[^0-9A-Z]*//g'`
	# aws_secret_access_key=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials/${instance_profile} \| grep SecretAccessKey \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`
	# token=`curl http://169.254.169.154/latest/meta-data/iam/security-credentials//${instance_profile} \| sed -n '/Token/{p;}' \| cut -f4 -d'"'`

	sdate=$(date + '%Y%m%dT%H%M%SZ')

	payload=$(echo -en "" \| openssl dgst -sha256 \| awk '{print $2}')
	canonical="GET\n${apiresource}\n\nhost:${apiid}.execute-api.us-west-2.amazonaws.com\nx-amz-date:${sdate}\nx-amz-security-token:${token}\n\naccept;host;x-amz-date;x-amz-security-token\n${payload}"
	canonicalhash=$(echo -en ${canonical} \| openssl dgst -sha256 \| awk '${print $2}')

	dateshort=$(date '+%Y%m%d')
	stringtosign="AWS4-HMAC-SHA256\n${sdate}\n${dateshort}/us-west-2/execute-api/aws4-request\n${canonicalhash}"

	function hmac_sha256 {
	key="$1"
	data="$2"
	echo -n "$data" \| openssl dgst -sha256 -mac HMAC -macopt "$key" \| sed 's/^.* //'
	}

	dateKey=$(hmac_sha256 key:"AWS4$aws_secret_access_key" $dateshort)
	dateRegionKey=$(hmac_sha256 hexkey:$dateKey "us-west-2")
	dateRegionServiceKey=$(hmac_sha256 hexkey:$dateRegionKey "execute-api")
	signaturekey=$(hmac_sha256 hexkey:$dateRegionServiceKey "aws4_request")

	signature=$(echo -en $stringtosign \| openssl dgst -sha256 -mac HMAC -macopt hexkey:$signaturekey \| awk -F ' ' '{print $2}')

	authorization="AWS4-HMAC-SHA256 Credential=${aws_access_key_id}/${dateshort}/us-west-2/execute-api/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=${signature}"

	curl -H "x-amz-date: ${sdate}" -H "x-amz-security-token: ${token}" -H "Authorization: ${authorization}" "https://${apiid}.execute-api.us-west-2.amazonaws.com${apiresource}"