Last active
March 23, 2016 18:12
-
-
Save newmaniese/c1484f6a9e2b8d44d0b6 to your computer and use it in GitHub Desktop.
One of our issues with AWS IAM users is that a super user needs to distribute keys and can't guarantee that a user will get to setting up their MFA. We force them to run this before granting the IAM user any more than "Onboarding" Permissions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
WAITTIME=15 | |
printf "This script will secure your profile in AWS, by\n" | |
printf " * creating keys that only you have\n" | |
printf " * removing the ones that you don't\n" | |
printf " * creating an Virtual MFA Device for authentication\n\n\n" | |
has_aws_installed=$(command -v aws) | |
has_jq_installed=$(command -v jq) | |
if [ -z $has_aws_installed ]; then | |
has_brew_installed=$(command -v brew) | |
if [ -z $has_brew_installed ]; then | |
printf "Please install brew to your system, or manually install AWSCLI and JQ\n" | |
exit 2 | |
fi | |
printf "Installing AWS CLI\n" | |
brew install awscli | |
fi | |
if [ -z $has_jq_installed ]; then | |
has_brew_installed=$(command -v brew) | |
if [ -z $has_brew_installed ]; then | |
printf "Please install brew to your system, or manually install AWSCLI and JQ\n" | |
exit 2 | |
fi | |
printf "Installing JQ\n" | |
brew install jq | |
fi | |
read -r -p "Start by giving me your AWS ACCESS KEY ID: " original_access | |
read -r -p "Now your AWS SECRET ACCESS KEY: " original_secret | |
export AWS_ACCESS_KEY_ID=$original_access | |
export AWS_SECRET_ACCESS_KEY=$original_secret | |
username=$(aws iam get-user | jq -e -r '.User.UserName') | |
if [ $? -ne 0 ]; then | |
printf "Keys do not appear valid\n" | |
exit 2 | |
fi | |
if [ -n $username ]; then | |
printf 'Keys have been verified for user "%s"\n\n' $username | |
else | |
printf "Keys do not appear valid, check your keys and ask your administrators for proper permissions\n" | |
exit 2 | |
fi | |
len=$(aws iam list-access-keys | jq -e -r '.AccessKeyMetadata|length') | |
if [ $len -ne 1 ]; then | |
printf "You appear to have too many keys, please contact your administrator\n" | |
exit 2 | |
fi | |
read -r -p "Name this profile (one word, minimum 6 characters): " profile | |
if [ ${#profile} -le 5 ]; then | |
printf "I said 6 characters minimum\n" | |
exit 2 | |
fi | |
new_key=$(aws iam create-access-key | jq -e -r .AccessKey) | |
if [ $? -eq 0 ]; then | |
printf "New keys generated!\n\n" | |
else | |
printf "Couldn't get new keys from AWS\n" | |
exit 2 | |
fi | |
export AWS_ACCESS_KEY_ID=$(printf "%s" $new_key | jq -e -r .AccessKeyId) | |
export AWS_SECRET_ACCESS_KEY=$(printf "%s" $new_key | jq -e -r .SecretAccessKey) | |
printf "Waiting for creds to sync." | |
new_user=$(aws iam get-user 2>/dev/null) | |
while [ "$username" != "$(printf "%s" $new_user | jq -e -r '.User.UserName')" ]; do | |
n=1 | |
while [ $n -lt $WAITTIME ]; do | |
sleep 1 | |
printf "." | |
n=$((n+1)) | |
done | |
new_user=$(aws iam get-user 2>/dev/null) | |
done | |
printf "\n" | |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile $profile | |
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile $profile | |
aws configure set region us-east-1 --profile $profile | |
aws configure set output json --profile $profile | |
printf "New keys are stored in your AWS Config\n\n" | |
mfa=$(aws iam create-virtual-mfa-device --virtual-mfa-device-name $username --bootstrap-method QRCodePNG --outfile /tmp/mfa.png | jq -e -r '.VirtualMFADevice.SerialNumber') | |
if [ $? -ne 0 ]; then | |
printf "Problem creating Virtual MFA Device\n" | |
export AWS_ACCESS_KEY_ID=$original_access | |
export AWS_SECRET_ACCESS_KEY=$original_secret | |
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId) | |
exit 2 | |
fi | |
if [ -f /tmp/mfa.png ]; then | |
printf "Now I will open a QR code, scan this with an MFA device, like authy.com\n" | |
read -n1 -r -p "Press any key to continue..." key | |
qlmanage -p /tmp/mfa.png >& /dev/null | |
else | |
printf "Problem generating MFA QR code\n" | |
export AWS_ACCESS_KEY_ID=$original_access | |
export AWS_SECRET_ACCESS_KEY=$original_secret | |
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId) | |
exit 2 | |
fi | |
printf "\n\n\nYou now should have your MFA device giving you codes, I need the next 2 6 digit numbers that come up\n" | |
read -n6 -r -p "Authorization code 1: " auth1 | |
printf "\n" | |
read -n6 -r -p "Authorization code 2: " auth2 | |
aws iam enable-mfa-device --serial-number $mfa --user-name $username --authentication-code-1 $auth1 --authentication-code-2 $auth2 | |
if [ $? -eq 0 ]; then | |
printf "\nMFA Device has been set up\n" | |
rm /tmp/mfa.png | |
else | |
printf "\nMFA Device failed to get set up\n" | |
rm /tmp/mfa.png | |
export AWS_ACCESS_KEY_ID=$original_access | |
export AWS_SECRET_ACCESS_KEY=$original_secret | |
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId) | |
aws iam delete-virtual-mfa-device --serial-number $mfa | |
exit 2 | |
fi | |
printf "Cleaning up\n" | |
aws iam delete-access-key --access-key-id $original_access | |
printf "\n\nNew credentials and MFA has been set up, all done!\n" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment