kmcquade/_aws_scripts.md

## _aws_scripts.md

      
    Raw
  

              _aws_scripts.md
            
          
    List:

export-aws-creds.py

Simple script that parses the ~/.aws/credentials file and creates the export command needed for pumping your AWS creds to command line


aws-secrets-send.sh and aws-secrets-get.sh

Used for grabbing secrets from S3 encrypted at the object level with KMS.
Easy to copy + paste or include in your repo when you have to use Ec2 userdata + IAM roles to download KMS-encrypted objects from S3
Based on this github repo but without the built-in options to create buckets and keys. This limits the capabilities of the script in a good way.

I might add more later. We'll see.

  
## aws-secrets-get.sh
#!/usr/bin/env bash
set -e

# aws-secrets-get
#   Retrieve an encrypted secrets file from s3 and print it to stdout.
# bash aws-secrets-get.sh key-alias-ENV my-s3-bucket other/testkey2.enc
# Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send

die() {
    echo "$@"
    exit
}
# set args
kms_alias=$1
s3_bucket=$2
s3_key=$3
[ -z "$kms_alias" ] && die "Missing KMS Alias.  Usage: $0 <app>";
[ -z "$s3_bucket" ] && die "Missing s3 bucket.  Usage: $1 <app>";
[ -z "$s3_key" ] && die "Missing s3 key.  Usage: $2 <app>";

s3_key=$s3_key
s3_bucket=$s3_bucket
kms_alias=$kms_alias

tmp=`mktemp -d`

aws s3api get-object --bucket $s3_bucket --key $s3_key $tmp/out > /tmp/errs

aws kms decrypt  --ciphertext-blob fileb://$tmp/out --output text --query Plaintext | base64 --decode

## aws-secrets-send.sh
#!/usr/bin/env bash
set -e

# aws-secrets-send
#   Encrypt a file using a KMS key alias, then send it to an s3 bucket.
#   Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send

# bash aws-secrets-send.sh super-secret-key.pem key-alias-ENV my-s3-bucket other/testkey2.enc 1
die() {
    echo "$@"
    exit
}

secrets_file=$1
kms_alias=$2
s3_bucket=$3
s3_key=$4
upload=$5

[ -z "$secrets_file" ] && die "Missing filename.  Usage: $0 <app> <filename>";
[ -z "$kms_alias" ] && die "Missing kms_alias.  Usage: $0 <app> ";
[ -z "$s3_bucket" ] && die "Missing s3_bucket.  Usage: $0 <app> ";
[ -z "$s3_key" ] && die "Missing s3_key.  Usage: $0 <app> ";
[ -z "$upload" ] && die "Missing upload flag.  Usage: $0 <app> ";

src=$secrets_file
s3_bucket=$s3_bucket
s3_key=$s3_key
kms_alias=$kms_alias

tmp=`mktemp -d`
encrypted=$tmp/data.enc

key_id=`aws kms list-aliases --output text --query "Aliases[?AliasName=='alias/$kms_alias'].TargetKeyId | [0]"`

echo "Encrypting with KMS"
aws kms encrypt \
    --key-id $key_id \
    --plaintext fileb://$src \
    --query CiphertextBlob \
    --output text \
    | base64 --decode \
    > $encrypted

if [ $upload = "1" ]; then
    aws s3api put-object \
        --bucket $s3_bucket \
        --key $s3_key \
        --acl private \
        --body $encrypted \
        --output text \
        --query 'None' \
        | egrep -v '^None$' || true
    echo "Uploaded to S3 at given path!"
else
    echo "Encrypted but not uploaded!"
fi
rm -rf $tmp

## export-aws-creds.py
#!/usr/bin/python2.7

# Usage with non-default profile:
#   export-aws-creds.py --profile custom
# Usage (without --profile, looks for default):
#   export-aws-creds.py
# Simple script that parses the ~/.aws/credentials file and creates the `export`
# command needed for pumping your AWS creds to command line.

import ConfigParser
import argparse
from os.path import expanduser

# awsconfigfile: AWS credentials file
awsconfigfile = '/.aws/credentials'
home = expanduser("~")
filename = home + awsconfigfile

# Receive the profile name from "--profile default"
parser = argparse.ArgumentParser(description='Print out the export commands.')
parser.add_argument('--profile', metavar='N', type=str, default='default',
                    help='profile name')

args = parser.parse_args()
aws_profile_name = str(args.profile)
config = ConfigParser.ConfigParser()
config.read(filename)

access_key = config.get(aws_profile_name, 'aws_access_key_id')
secret_key = config.get(aws_profile_name, 'aws_secret_access_key')
session_token = ''
security_token = ''

session_token_exists = config.has_option(aws_profile_name,'aws_session_token')
if session_token_exists:
    session_token = config.get(aws_profile_name, 'aws_session_token')
else:
    print "No session token set for profile"

security_token_exists = config.has_option(aws_profile_name,'aws_security_token')
if security_token_exists:
    security_token = config.get(aws_profile_name, 'aws_security_token')
else:
    print "No security token set for profile"

print ''

ak_text = 'export AWS_ACCESS_KEY_ID='
sk_text = 'export AWS_SECRET_ACCESS_KEY='
session_token_text = 'export AWS_SESSION_TOKEN='
security_token_text = 'export AWS_SECURITY_TOKEN='

print 'For speed purposes, copy and paste the following lines so you can set your environment variables in the terminal.'
print ak_text + access_key
print sk_text + secret_key

if session_token_exists:
    print session_token_text + session_token

if session_token_exists:
    print session_token_text + security_token
	#!/usr/bin/env bash
	set -e

	# aws-secrets-get
	# Retrieve an encrypted secrets file from s3 and print it to stdout.
	# bash aws-secrets-get.sh key-alias-ENV my-s3-bucket other/testkey2.enc
	# Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send

	die() {
	echo "$@"
	exit
	}
	# set args
	kms_alias=$1
	s3_bucket=$2
	s3_key=$3
	[ -z "$kms_alias" ] && die "Missing KMS Alias. Usage: $0 <app>";
	[ -z "$s3_bucket" ] && die "Missing s3 bucket. Usage: $1 <app>";
	[ -z "$s3_key" ] && die "Missing s3 key. Usage: $2 <app>";

	s3_key=$s3_key
	s3_bucket=$s3_bucket
	kms_alias=$kms_alias

	tmp=`mktemp -d`

	aws s3api get-object --bucket $s3_bucket --key $s3_key $tmp/out > /tmp/errs

	aws kms decrypt --ciphertext-blob fileb://$tmp/out --output text --query Plaintext \| base64 --decode
	#!/usr/bin/env bash
	set -e

	# aws-secrets-send
	# Encrypt a file using a KMS key alias, then send it to an s3 bucket.
	# Based on: https://github.com/promptworks/aws-secrets/blob/master/bin/aws-secrets-send

	# bash aws-secrets-send.sh super-secret-key.pem key-alias-ENV my-s3-bucket other/testkey2.enc 1
	die() {
	echo "$@"
	exit
	}

	secrets_file=$1
	kms_alias=$2
	s3_bucket=$3
	s3_key=$4
	upload=$5

	[ -z "$secrets_file" ] && die "Missing filename. Usage: $0 <app> <filename>";
	[ -z "$kms_alias" ] && die "Missing kms_alias. Usage: $0 <app> ";
	[ -z "$s3_bucket" ] && die "Missing s3_bucket. Usage: $0 <app> ";
	[ -z "$s3_key" ] && die "Missing s3_key. Usage: $0 <app> ";
	[ -z "$upload" ] && die "Missing upload flag. Usage: $0 <app> ";

	src=$secrets_file
	s3_bucket=$s3_bucket
	s3_key=$s3_key
	kms_alias=$kms_alias

	tmp=`mktemp -d`
	encrypted=$tmp/data.enc

	key_id=`aws kms list-aliases --output text --query "Aliases[?AliasName=='alias/$kms_alias'].TargetKeyId \| [0]"`

	echo "Encrypting with KMS"
	aws kms encrypt \
	--key-id $key_id \
	--plaintext fileb://$src \
	--query CiphertextBlob \
	--output text \
	\| base64 --decode \
	> $encrypted

	if [ $upload = "1" ]; then
	aws s3api put-object \
	--bucket $s3_bucket \
	--key $s3_key \
	--acl private \
	--body $encrypted \
	--output text \
	--query 'None' \
	\| egrep -v '^None$' \|\| true
	echo "Uploaded to S3 at given path!"
	else
	echo "Encrypted but not uploaded!"
	fi
	rm -rf $tmp
	#!/usr/bin/python2.7

	# Usage with non-default profile:
	# export-aws-creds.py --profile custom
	# Usage (without --profile, looks for default):
	# export-aws-creds.py
	# Simple script that parses the ~/.aws/credentials file and creates the `export`
	# command needed for pumping your AWS creds to command line.

	import ConfigParser
	import argparse
	from os.path import expanduser

	# awsconfigfile: AWS credentials file
	awsconfigfile = '/.aws/credentials'
	home = expanduser("~")
	filename = home + awsconfigfile

	# Receive the profile name from "--profile default"
	parser = argparse.ArgumentParser(description='Print out the export commands.')
	parser.add_argument('--profile', metavar='N', type=str, default='default',
	help='profile name')

	args = parser.parse_args()
	aws_profile_name = str(args.profile)
	config = ConfigParser.ConfigParser()
	config.read(filename)

	access_key = config.get(aws_profile_name, 'aws_access_key_id')
	secret_key = config.get(aws_profile_name, 'aws_secret_access_key')
	session_token = ''
	security_token = ''

	session_token_exists = config.has_option(aws_profile_name,'aws_session_token')
	if session_token_exists:
	session_token = config.get(aws_profile_name, 'aws_session_token')
	else:
	print "No session token set for profile"

	security_token_exists = config.has_option(aws_profile_name,'aws_security_token')
	if security_token_exists:
	security_token = config.get(aws_profile_name, 'aws_security_token')
	else:
	print "No security token set for profile"

	print ''

	ak_text = 'export AWS_ACCESS_KEY_ID='
	sk_text = 'export AWS_SECRET_ACCESS_KEY='
	session_token_text = 'export AWS_SESSION_TOKEN='
	security_token_text = 'export AWS_SECURITY_TOKEN='

	print 'For speed purposes, copy and paste the following lines so you can set your environment variables in the terminal.'
	print ak_text + access_key
	print sk_text + secret_key

	if session_token_exists:
	print session_token_text + session_token

	if session_token_exists:
	print session_token_text + security_token