-
-
Save mpurzynski/77a33c3d925e4dfa0653df5ca853a07e to your computer and use it in GitHub Desktop.
Tool to create ephemeral awscli/boto config/credentials files for creating a long lasting (36 hour) cached MFA and child assumed role
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This only needs to be set if in your non-ephemeral AWS config you use a source profile other than "default". | |
# Source profile is the profile with your actual long lived API keys | |
SOURCE_PROFILE_NAME= | |
# This is the ARN of the IAM role that you want to assume by default | |
DEFAULT_ASSUMED_ROLE_ARN= | |
# This is an optional descriptive name of the IAM role that you want to assume by default | |
DEFAULT_ASSUMED_ROLE_NAME= | |
# Session duration | |
DURATION=129600 | |
if [ -n "$SOURCE_PROFILE_NAME" ]; then | |
profile_argument="--profile $SOURCE_PROFILE_NAME" | |
fi | |
unset AWS_SHARED_CREDENTIALS_FILE | |
unset AWS_CONFIG_FILE | |
unset AWS_DEFAULT_PROFILE | |
# Fetch the ARN of the MFA device from the source profile | |
MFA_SERIAL=$(aws configure get mfa_serial $profile_argument) | |
token=$1 # Required argument | |
assumed_role_arn=$2 # Optional unless no DEFAULT_ASSUMED_ROLE_ARN is set | |
assumed_role_name=$3 # Optional | |
cred_file=~/.aws/ephemeral-credentials | |
config_file=~/.aws/ephemeral-config | |
if [ -z "$token" ]; then | |
echo "Please pass the 6 digit MFA token as the first argument" | |
exit 1 | |
fi | |
if [ -z "$MFA_SERIAL" ]; then | |
echo -e "Unable to determine the ARN of the MFA device from " | |
test -n "$SOURCE_PROFILE_NAME" && echo "profile ${SOURCE_PROFILE_NAME}" || echo "the default profile." | |
exit 1 | |
fi | |
if [ -z "$assumed_role_arn" ]; then assumed_role_arn="$DEFAULT_ASSUMED_ROLE_ARN"; fi | |
if [ -z "$assumed_role_arn" ]; then | |
echo "No assumed role ARN was passed on the command line and no DEFAULT_ASSUMED_ROLE_ARN is configured in the tool." | |
echo "If you want to assume a role, either pass an ARN on the command line or set a DEFAULT_ASSUMED_ROLE_ARN in the tool" | |
echo "Proceeding assuming that you don't want to assume any role" | |
assumed_role_name="default" | |
fi | |
if [ -z "$assumed_role_name" ]; then assumed_role_name="$DEFAULT_ASSUMED_ROLE_NAME"; fi | |
if [ -z "$assumed_role_name" ]; then | |
IFS=':' read -ra arn <<< "$assumed_role_arn" | |
assumed_role_name="${arn[4]}-${arn[5]#role/}" | |
fi | |
if ! grep "^\[profile ${assumed_role_name}\]$" "$config_file" >/dev/null 2>&1; then | |
echo "[profile ${assumed_role_name}]" >> "$config_file" | |
fi | |
if ! sts=( $( | |
aws sts get-session-token \ | |
${profile_argument} \ | |
--serial-number "$MFA_SERIAL" \ | |
--token-code "$token" \ | |
--duration-seconds "$DURATION" \ | |
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \ | |
--output text | |
) ); then | |
exit 1 | |
fi | |
AWS_SHARED_CREDENTIALS_FILE="$cred_file" AWS_CONFIG_FILE="$config_file" aws configure set aws_access_key_id ${sts[0]} --profile default | |
AWS_SHARED_CREDENTIALS_FILE="$cred_file" AWS_CONFIG_FILE="$config_file" aws configure set aws_secret_access_key ${sts[1]} --profile default | |
AWS_SHARED_CREDENTIALS_FILE="$cred_file" AWS_CONFIG_FILE="$config_file" aws configure set aws_session_token ${sts[2]} --profile default | |
if [ -n "$assumed_role_arn" ]; then | |
AWS_SHARED_CREDENTIALS_FILE="$cred_file" AWS_CONFIG_FILE="$config_file" aws configure set profile.${assumed_role_name}.source_profile default | |
AWS_SHARED_CREDENTIALS_FILE="$cred_file" AWS_CONFIG_FILE="$config_file" aws configure set profile.${assumed_role_name}.role_arn ${assumed_role_arn} | |
fi | |
export_line="export AWS_SHARED_CREDENTIALS_FILE=\"$cred_file\" AWS_CONFIG_FILE=\"$config_file\"" | |
if [ -n "$assumed_role_arn" ]; then | |
export_line="$export_line AWS_DEFAULT_PROFILE=\"$assumed_role_name\"" | |
export_line="$export_line;PS1=\"\$PS1\${AWS_DEFAULT_PROFILE:+(\$AWS_DEFAULT_PROFILE)}\"" | |
fi | |
echo $export_line |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment