Skip to content

Instantly share code, notes, and snippets.

@lionello
Last active May 2, 2024 17:36
Show Gist options
  • Save lionello/9b77df5cd7eded3cdaca3ad644d0dd35 to your computer and use it in GitHub Desktop.
Save lionello/9b77df5cd7eded3cdaca3ad644d0dd35 to your computer and use it in GitHub Desktop.
Script to log into AWS with a SAML assertion. Must replace ACCOUNT number etc. before use!
#!/bin/bash
# Copyright 2024 Lionello Lunesu
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the “Software”), to deal in the
# Software without restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
# OTHER DEALINGS IN THE SOFTWARE.
set -e
TOKEN=$1
if [ -z "$TOKEN" ]; then
echo "Paste SAML assertion:"
read TOKEN # NOTE: limited by LINE_MAX
fi
#### UPDATE THESE TO MATCH YOUR CONFIGURATION ####
ACCOUNT=124356789012
ROLE_ARN=arn:aws:iam::$ACCOUNT:role/CHANGME
PRINCIPAL_ARN=arn:aws:iam::$ACCOUNT:saml-provider/CHANGME
SAML_PROFILE=saml
JSON=$(aws sts assume-role-with-saml --role-arn $ROLE_ARN --principal-arn $PRINCIPAL_ARN --saml-assertion "$TOKEN")
AccessKeyId=$(echo "$JSON" | jq -r .Credentials.AccessKeyId)
SecretAccessKey=$(echo "$JSON" | jq -r .Credentials.SecretAccessKey)
SessionToken=$(echo "$JSON" | jq -r .Credentials.SessionToken)
Expiration=$(echo "$JSON" | jq -r .Credentials.Expiration)
AssumedRoleUser=$(echo "$JSON" | jq -r .AssumedRoleUser.Arn)
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^aws_access_key_id .*|aws_access_key_id = $AccessKeyId|" ~/.aws/credentials
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^aws_secret_access_key .*|aws_secret_access_key = $SecretAccessKey|" ~/.aws/credentials
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^aws_session_token .*|aws_session_token = $SessionToken|" ~/.aws/credentials
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^aws_security_token .*|aws_security_token = $SessionToken|" ~/.aws/credentials
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^x_principal_arn .*|x_principal_arn = $AssumedRoleUser|" ~/.aws/credentials
sed -ibk "/^\[$SAML_PROFILE\]/,/^\[/ s|^x_security_token_expires .*|x_security_token_expires = $Expiration|" ~/.aws/credentials
AWS_PROFILE=$SAML_PROFILE aws sts get-caller-identity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment