-
-
Save lisa/37bc4539b044ff0f85016a93c455d83a to your computer and use it in GitHub Desktop.
This script will get the AWS credentials for a given cluster using the AWS AccountClaim name. `source` it to set your AWS environment vars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
STS_SECRET_EXISTS=true | |
usage() { | |
cat <<EOF | |
usage: $0 [ OPTION ] | |
Options | |
-c AWS AccountClaim CR Name (AccountClaim Custom Resource Name) | |
-o Hive hostname | |
-p AWS Boto Profile, leave blank for none | |
-r AWS Boto Region leave blank for default us-east-1 | |
EOF | |
} | |
if ( ! getopts ":a:c:p:o:r:h" opt); then | |
echo "" | |
echo " $0 requries an argument!" | |
usage | |
exit 1 | |
fi | |
while getopts ":a:c:s:o:p:r:h" opt; do | |
case $opt in | |
c) | |
AWS_ACCOUNT_CLAIM="$OPTARG" >&2 | |
;; | |
o) | |
HOST="$OPTARG" >&2 | |
;; | |
p) | |
AWS_DEFAULT_PROFILE="$OPTARG" >&2 | |
;; | |
r) | |
AWS_DEFAULT_REGION="$OPTARG" >&2 | |
;; | |
h) | |
echo "Invalid option: -$OPTARG" >&2 | |
usage | |
exit 1 | |
;; | |
\?) | |
echo "Invalid option: -$OPTARG" >&2 | |
usage | |
exit 1 | |
;; | |
:) | |
echo "$0 Requires an argument" >&2 | |
usage | |
exit 1 | |
;; | |
esac | |
done | |
if [ -z "$HOST" ]; then | |
echo " You must provide a Hive hostname!" | |
echo "" | |
usage | |
exit 1 | |
fi | |
if [ -z "$AWS_ACCOUNT_CLAIM" ]; then | |
echo " You must provide an AccountClaim CR name!" | |
echo "" | |
usage | |
exit 1 | |
fi | |
COMMAND="oc get accountclaims --all-namespaces --no-headers | grep $AWS_ACCOUNT_CLAIM" | |
CLAIM_NAMESPACE=$(ssh "$HOST" "$COMMAND" | awk '{print $1}') | |
echo "Namespace: $CLAIM_NAMESPACE" | |
COMMAND="oc get accountclaims -n $CLAIM_NAMESPACE -o json| jq -r '.items[].spec.accountLink'" | |
AWS_ACCOUNT_NAME=$(ssh "$HOST" "$COMMAND") | |
echo "AWS Account CR Name: $AWS_ACCOUNT_NAME" | |
COMMAND="oc get secrets -n aws-account-operator --no-headers | awk '{print $1}' | grep $AWS_ACCOUNT_NAME-sre-credentials" | |
AWS_STS_SECRET=$(ssh "$HOST" "$COMMAND") | |
if [ "$AWS_STS_SECRET" == "" ]; then | |
echo "NO STS Secret for cluster $AWS_ACCOUNT_CLAIM, using credentials in $AWS_ACCOUNT_NAME-secret" | |
STS_SECRET_EXISTS=false | |
fi | |
if $STS_SECRET_EXISTS; then | |
COMMAND="oc get secret ${AWS_ACCOUNT_NAME}-sre-credentials -n aws-account-operator -o json | jq '.'" | |
else | |
COMMAND="oc get secret ${AWS_ACCOUNT_NAME}-secret -n aws-account-operator -o json | jq '.'" | |
fi | |
AWS_CREDENTIALS=$(ssh "$HOST" "$COMMAND") | |
echo "Credentials created: $(echo $AWS_CREDENTIALS | jq -r '.metadata.creationTimestamp')" | |
COMMAND="oc get accountclaim $AWS_ACCOUNT_CLAIM -n $CLAIM_NAMESPACE -o json | jq -r '.spec.aws.regions[].name'" | |
AWS_REGION=$(ssh "$HOST" "$COMMAND") | |
echo "AWS Region: $AWS_REGION" | |
AWS_ACCESS_KEY_ID=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_access_key_id' | base64 -d) | |
AWS_SECRET_ACCESS_KEY=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_secret_access_key' | base64 -d) | |
if $STS_SECRET_EXISTS; then | |
AWS_SESSION_TOKEN=$(echo "$AWS_CREDENTIALS" | jq -r '.data.aws_session_token' | base64 -d) | |
export AWS_SECRET_ACCESS_KEY | |
fi | |
export AWS_ACCESS_KEY_ID | |
export AWS_SECRET_ACCESS_KEY | |
echo "Authenticated to AWS as: " | |
aws sts get-caller-identity |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment