Last active
August 8, 2019 17:46
-
-
Save jharrington22/af6b0dc5855353f9c59220e9e7b5a856 to your computer and use it in GitHub Desktop.
This script will get the AWS credentials for a given cluster using the AWS AccountClaim name. `source` it to set your AWS environment vars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
STS_SECRET_EXISTS=true | |
usage() { | |
cat <<EOF | |
usage: $0 [ OPTION ] | |
Options | |
-c AWS AccountClaim CR Name (AccountClaim Custom Resource Name) | |
-o Hive hostname | |
-p AWS Boto Profile, leave blank for none | |
-r AWS Boto Region leave blank for default us-east-1 | |
EOF | |
} | |
if ( ! getopts ":a:c:p:o:r:h" opt); then | |
echo "" | |
echo " $0 requries an argument!" | |
usage | |
exit 1 | |
fi | |
while getopts ":a:c:s:o:p:r:h" opt; do | |
case $opt in | |
c) | |
AWS_ACCOUNT_CLAIM="$OPTARG" >&2 | |
;; | |
o) | |
HOST="$OPTARG" >&2 | |
;; | |
p) | |
AWS_DEFAULT_PROFILE="$OPTARG" >&2 | |
;; | |
r) | |
AWS_DEFAULT_REGION="$OPTARG" >&2 | |
;; | |
h) | |
echo "Invalid option: -$OPTARG" >&2 | |
usage | |
exit 1 | |
;; | |
\?) | |
echo "Invalid option: -$OPTARG" >&2 | |
usage | |
exit 1 | |
;; | |
:) | |
echo "$0 Requires an argument" >&2 | |
usage | |
exit 1 | |
;; | |
esac | |
done | |
if [ -z "$HOST" ]; then | |
echo " You must provide a Hive hostname!" | |
echo "" | |
usage | |
exit 1 | |
fi | |
if [ -z "$AWS_ACCOUNT_CLAIM" ]; then | |
echo " You must provide an AccountClaim CR name!" | |
echo "" | |
usage | |
exit 1 | |
fi | |
COMMAND="oc get accountclaims --all-namespaces --no-headers | grep $AWS_ACCOUNT_CLAIM" | |
CLAIM_NAMESPACE=$(ssh "$HOST" "$COMMAND" | awk '{print $1}') | |
echo "Namespace: $CLAIM_NAMESPACE" | |
COMMAND="oc get accountclaims -n $CLAIM_NAMESPACE -o json| jq -r '.items[].spec.accountLink'" | |
AWS_ACCOUNT_NAME=$(ssh "$HOST" "$COMMAND") | |
echo "AWS Account CR Name: $AWS_ACCOUNT_NAME" | |
COMMAND="oc get secrets -n aws-account-operator --no-headers | awk '{print $1}' | grep $AWS_ACCOUNT_NAME-sre-credentials" | |
AWS_STS_SECRET=$(ssh "$HOST" "$COMMAND") | |
if [ "$AWS_STS_SECRET" == "" ]; then | |
echo "NO STS Secret for cluster $AWS_ACCOUNT_CLAIM, using credentials in $AWS_ACCOUNT_NAME-secret" | |
STS_SECRET_EXISTS=false | |
fi | |
if $STS_SECRET_EXISTS; then | |
COMMAND="oc get secret ${AWS_ACCOUNT_NAME}-sre-credentials -n aws-account-operator -o json | jq '.'" | |
else | |
COMMAND="oc get secret ${AWS_ACCOUNT_NAME}-secret -n aws-account-operator -o json | jq '.'" | |
fi | |
AWS_CREDENTIALS=$(ssh "$HOST" "$COMMAND") | |
echo "Credentials created: $(echo $AWS_CREDENTIALS | jq -r '.metadata.creationTimestamp')" | |
COMMAND="oc get accountclaim $AWS_ACCOUNT_CLAIM -n $CLAIM_NAMESPACE -o json | jq -r '.spec.aws.regions[].name'" | |
AWS_REGION=$(ssh "$HOST" "$COMMAND") | |
echo "AWS Region: $AWS_REGION" | |
AWS_ACCESS_KEY_ID=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_access_key_id' | base64 -d) | |
AWS_SECRET_ACCESS_KEY=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_secret_access_key' | base64 -d) | |
if $STS_SECRET_EXISTS; then | |
AWS_SESSION_TOKEN=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_session_token' | base64 -d) | |
export AWS_SECRET_ACCESS_KEY | |
fi | |
export AWS_ACCESS_KEY_ID | |
export AWS_SECRET_ACCESS_KEY | |
echo "Authenticated to AWS as: " | |
aws sts get-caller-identity |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment