Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Miscellaneous useful scripts with AWS

List:

  • export-aws-creds.py
    • Simple script that parses the ~/.aws/credentials file and creates the export command needed for pumping your AWS creds to command line

aws-secrets-send.sh and aws-secrets-get.sh

  • Used for grabbing secrets from S3 encrypted at the object level with KMS.
  • Easy to copy + paste or include in your repo when you have to use Ec2 userdata + IAM roles to download KMS-encrypted objects from S3
  • Based on this github repo but without the built-in options to create buckets and keys. This limits the capabilities of the script in a good way.

I might add more later. We'll see.

#!/usr/bin/env bash
set -e
# aws-secrets-get
# Retrieve an encrypted secrets file from s3 and print it to stdout.
# bash aws-secrets-get.sh key-alias-ENV my-s3-bucket other/testkey2.enc
# Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send
die() {
echo "$@"
exit
}
# set args
kms_alias=$1
s3_bucket=$2
s3_key=$3
[ -z "$kms_alias" ] && die "Missing KMS Alias. Usage: $0 <app>";
[ -z "$s3_bucket" ] && die "Missing s3 bucket. Usage: $1 <app>";
[ -z "$s3_key" ] && die "Missing s3 key. Usage: $2 <app>";
s3_key=$s3_key
s3_bucket=$s3_bucket
kms_alias=$kms_alias
tmp=`mktemp -d`
aws s3api get-object --bucket $s3_bucket --key $s3_key $tmp/out > /tmp/errs
aws kms decrypt --ciphertext-blob fileb://$tmp/out --output text --query Plaintext | base64 --decode
#!/usr/bin/env bash
set -e
# aws-secrets-send
# Encrypt a file using a KMS key alias, then send it to an s3 bucket.
# Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send
# bash aws-secrets-send.sh super-secret-key.pem key-alias-ENV my-s3-bucket other/testkey2.enc 1
die() {
echo "$@"
exit
}
secrets_file=$1
kms_alias=$2
s3_bucket=$3
s3_key=$4
upload=$5
[ -z "$secrets_file" ] && die "Missing filename. Usage: $0 <app> <filename>";
[ -z "$kms_alias" ] && die "Missing kms_alias. Usage: $0 <app> ";
[ -z "$s3_bucket" ] && die "Missing s3_bucket. Usage: $0 <app> ";
[ -z "$s3_key" ] && die "Missing s3_key. Usage: $0 <app> ";
[ -z "$upload" ] && die "Missing upload flag. Usage: $0 <app> ";
src=$secrets_file
s3_bucket=$s3_bucket
s3_key=$s3_key
kms_alias=$kms_alias
tmp=`mktemp -d`
encrypted=$tmp/data.enc
key_id=`aws kms list-aliases --output text --query "Aliases[?AliasName=='alias/$kms_alias'].TargetKeyId | [0]"`
echo "Encrypting with KMS"
aws kms encrypt \
--key-id $key_id \
--plaintext fileb://$src \
--query CiphertextBlob \
--output text \
| base64 --decode \
> $encrypted
if [ $upload = "1" ]; then
aws s3api put-object \
--bucket $s3_bucket \
--key $s3_key \
--acl private \
--body $encrypted \
--output text \
--query 'None' \
| egrep -v '^None$' || true
echo "Uploaded to S3 at given path!"
else
echo "Encrypted but not uploaded!"
fi
rm -rf $tmp
#!/usr/bin/python2.7
# Usage with non-default profile:
# export-aws-creds.py --profile custom
# Usage (without --profile, looks for default):
# export-aws-creds.py
# Simple script that parses the ~/.aws/credentials file and creates the `export`
# command needed for pumping your AWS creds to command line.
import ConfigParser
import argparse
from os.path import expanduser
# awsconfigfile: AWS credentials file
awsconfigfile = '/.aws/credentials'
home = expanduser("~")
filename = home + awsconfigfile
# Receive the profile name from "--profile default"
parser = argparse.ArgumentParser(description='Print out the export commands.')
parser.add_argument('--profile', metavar='N', type=str, default='default',
help='profile name')
args = parser.parse_args()
aws_profile_name = str(args.profile)
config = ConfigParser.ConfigParser()
config.read(filename)
access_key = config.get(aws_profile_name, 'aws_access_key_id')
secret_key = config.get(aws_profile_name, 'aws_secret_access_key')
session_token = ''
security_token = ''
session_token_exists = config.has_option(aws_profile_name,'aws_session_token')
if session_token_exists:
session_token = config.get(aws_profile_name, 'aws_session_token')
else:
print "No session token set for profile"
security_token_exists = config.has_option(aws_profile_name,'aws_security_token')
if security_token_exists:
security_token = config.get(aws_profile_name, 'aws_security_token')
else:
print "No security token set for profile"
print ''
ak_text = 'export AWS_ACCESS_KEY_ID='
sk_text = 'export AWS_SECRET_ACCESS_KEY='
session_token_text = 'export AWS_SESSION_TOKEN='
security_token_text = 'export AWS_SECURITY_TOKEN='
print 'For speed purposes, copy and paste the following lines so you can set your environment variables in the terminal.'
print ak_text + access_key
print sk_text + secret_key
if session_token_exists:
print session_token_text + session_token
if session_token_exists:
print session_token_text + security_token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment