newmaniese/aws_key_gen.sh

## aws_key_gen.sh
#! /bin/bash

WAITTIME=15

printf "This script will secure your profile in AWS, by\n"
printf "   * creating keys that only you have\n"
printf "   * removing the ones that you don't\n"
printf "   * creating an Virtual MFA Device for authentication\n\n\n"

has_aws_installed=$(command -v aws)
has_jq_installed=$(command -v jq)

if [ -z $has_aws_installed ]; then
    has_brew_installed=$(command -v brew)
    if [ -z $has_brew_installed ]; then
        printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
        exit 2
    fi
    printf "Installing AWS CLI\n"
    brew install awscli
fi

if [ -z $has_jq_installed ]; then
    has_brew_installed=$(command -v brew)
    if [ -z $has_brew_installed ]; then
        printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
        exit 2
    fi
    printf "Installing JQ\n"
    brew install jq
fi


read -r -p "Start by giving me your AWS ACCESS KEY ID: " original_access
read -r -p  "Now your AWS SECRET ACCESS KEY: " original_secret

export AWS_ACCESS_KEY_ID=$original_access
export AWS_SECRET_ACCESS_KEY=$original_secret

username=$(aws iam get-user | jq -e -r '.User.UserName')

if [ $? -ne 0 ]; then
    printf "Keys do not appear valid\n"
    exit 2
fi

if [ -n $username ]; then
    printf 'Keys have been verified for user "%s"\n\n' $username
else
    printf "Keys do not appear valid, check your keys and ask your administrators for proper permissions\n"
    exit 2
fi

len=$(aws iam list-access-keys | jq -e -r '.AccessKeyMetadata|length')

if [ $len -ne 1 ]; then
    printf "You appear to have too many keys, please contact your administrator\n"
    exit 2
fi

read -r -p "Name this profile (one word, minimum 6 characters): " profile

if [ ${#profile} -le 5 ]; then
    printf "I said 6 characters minimum\n"
    exit 2
fi

new_key=$(aws iam create-access-key | jq -e -r .AccessKey)

if [ $? -eq 0 ]; then
    printf "New keys generated!\n\n"
else
    printf "Couldn't get new keys from AWS\n"
    exit 2
fi

export AWS_ACCESS_KEY_ID=$(printf "%s" $new_key | jq -e -r .AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(printf "%s" $new_key | jq -e -r .SecretAccessKey)

printf "Waiting for creds to sync."

new_user=$(aws iam get-user 2>/dev/null)
while [ "$username" != "$(printf "%s" $new_user | jq -e -r '.User.UserName')" ]; do
    n=1
    while [ $n -lt $WAITTIME ]; do
        sleep 1
        printf "."
        n=$((n+1))
    done
    new_user=$(aws iam get-user 2>/dev/null)
done
printf "\n"

aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile $profile
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile $profile
aws configure set region us-east-1 --profile $profile
aws configure set output json --profile $profile

printf "New keys are stored in your AWS Config\n\n"

mfa=$(aws iam create-virtual-mfa-device --virtual-mfa-device-name $username --bootstrap-method QRCodePNG --outfile /tmp/mfa.png | jq -e -r '.VirtualMFADevice.SerialNumber')

if [ $? -ne 0 ]; then
    printf "Problem creating Virtual MFA Device\n"
    export AWS_ACCESS_KEY_ID=$original_access
    export AWS_SECRET_ACCESS_KEY=$original_secret

    aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
    exit 2
fi

if [ -f /tmp/mfa.png ]; then
    printf "Now I will open a QR code, scan this with an MFA device, like authy.com\n"
    read -n1 -r -p "Press any key to continue..." key

    qlmanage -p /tmp/mfa.png >& /dev/null
else
    printf "Problem generating MFA QR code\n"
    export AWS_ACCESS_KEY_ID=$original_access
    export AWS_SECRET_ACCESS_KEY=$original_secret

    aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
    exit 2
fi

printf "\n\n\nYou now should have your MFA device giving you codes, I need the next 2 6 digit numbers that come up\n"
read -n6 -r -p "Authorization code 1: " auth1
printf "\n"
read -n6 -r -p "Authorization code 2: " auth2

aws iam enable-mfa-device --serial-number $mfa --user-name $username --authentication-code-1 $auth1 --authentication-code-2 $auth2

if [ $? -eq 0 ]; then
    printf "\nMFA Device has been set up\n"
    rm /tmp/mfa.png
else
    printf "\nMFA Device failed to get set up\n"
    rm /tmp/mfa.png

    export AWS_ACCESS_KEY_ID=$original_access
    export AWS_SECRET_ACCESS_KEY=$original_secret

    aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
    aws iam delete-virtual-mfa-device --serial-number $mfa
    exit 2
fi

printf "Cleaning up\n"
aws iam delete-access-key --access-key-id $original_access

printf "\n\nNew credentials and MFA has been set up, all done!\n"
	#! /bin/bash

	WAITTIME=15

	printf "This script will secure your profile in AWS, by\n"
	printf " * creating keys that only you have\n"
	printf " * removing the ones that you don't\n"
	printf " * creating an Virtual MFA Device for authentication\n\n\n"

	has_aws_installed=$(command -v aws)
	has_jq_installed=$(command -v jq)

	if [ -z $has_aws_installed ]; then
	has_brew_installed=$(command -v brew)
	if [ -z $has_brew_installed ]; then
	printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
	exit 2
	fi
	printf "Installing AWS CLI\n"
	brew install awscli
	fi

	if [ -z $has_jq_installed ]; then
	has_brew_installed=$(command -v brew)
	if [ -z $has_brew_installed ]; then
	printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
	exit 2
	fi
	printf "Installing JQ\n"
	brew install jq
	fi


	read -r -p "Start by giving me your AWS ACCESS KEY ID: " original_access
	read -r -p "Now your AWS SECRET ACCESS KEY: " original_secret

	export AWS_ACCESS_KEY_ID=$original_access
	export AWS_SECRET_ACCESS_KEY=$original_secret

	username=$(aws iam get-user \| jq -e -r '.User.UserName')

	if [ $? -ne 0 ]; then
	printf "Keys do not appear valid\n"
	exit 2
	fi

	if [ -n $username ]; then
	printf 'Keys have been verified for user "%s"\n\n' $username
	else
	printf "Keys do not appear valid, check your keys and ask your administrators for proper permissions\n"
	exit 2
	fi

	len=$(aws iam list-access-keys \| jq -e -r '.AccessKeyMetadata\|length')

	if [ $len -ne 1 ]; then
	printf "You appear to have too many keys, please contact your administrator\n"
	exit 2
	fi

	read -r -p "Name this profile (one word, minimum 6 characters): " profile

	if [ ${#profile} -le 5 ]; then
	printf "I said 6 characters minimum\n"
	exit 2
	fi

	new_key=$(aws iam create-access-key \| jq -e -r .AccessKey)

	if [ $? -eq 0 ]; then
	printf "New keys generated!\n\n"
	else
	printf "Couldn't get new keys from AWS\n"
	exit 2
	fi

	export AWS_ACCESS_KEY_ID=$(printf "%s" $new_key \| jq -e -r .AccessKeyId)
	export AWS_SECRET_ACCESS_KEY=$(printf "%s" $new_key \| jq -e -r .SecretAccessKey)

	printf "Waiting for creds to sync."

	new_user=$(aws iam get-user 2>/dev/null)
	while [ "$username" != "$(printf "%s" $new_user \| jq -e -r '.User.UserName')" ]; do
	n=1
	while [ $n -lt $WAITTIME ]; do
	sleep 1
	printf "."
	n=$((n+1))
	done
	new_user=$(aws iam get-user 2>/dev/null)
	done
	printf "\n"

	aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile $profile
	aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile $profile
	aws configure set region us-east-1 --profile $profile
	aws configure set output json --profile $profile

	printf "New keys are stored in your AWS Config\n\n"

	mfa=$(aws iam create-virtual-mfa-device --virtual-mfa-device-name $username --bootstrap-method QRCodePNG --outfile /tmp/mfa.png \| jq -e -r '.VirtualMFADevice.SerialNumber')

	if [ $? -ne 0 ]; then
	printf "Problem creating Virtual MFA Device\n"
	export AWS_ACCESS_KEY_ID=$original_access
	export AWS_SECRET_ACCESS_KEY=$original_secret

	aws iam delete-access-key --access-key-id $(printf "%s" $new_key \| jq -e -r .AccessKeyId)
	exit 2
	fi

	if [ -f /tmp/mfa.png ]; then
	printf "Now I will open a QR code, scan this with an MFA device, like authy.com\n"
	read -n1 -r -p "Press any key to continue..." key

	qlmanage -p /tmp/mfa.png >& /dev/null
	else
	printf "Problem generating MFA QR code\n"
	export AWS_ACCESS_KEY_ID=$original_access
	export AWS_SECRET_ACCESS_KEY=$original_secret

	aws iam delete-access-key --access-key-id $(printf "%s" $new_key \| jq -e -r .AccessKeyId)
	exit 2
	fi

	printf "\n\n\nYou now should have your MFA device giving you codes, I need the next 2 6 digit numbers that come up\n"
	read -n6 -r -p "Authorization code 1: " auth1
	printf "\n"
	read -n6 -r -p "Authorization code 2: " auth2

	aws iam enable-mfa-device --serial-number $mfa --user-name $username --authentication-code-1 $auth1 --authentication-code-2 $auth2

	if [ $? -eq 0 ]; then
	printf "\nMFA Device has been set up\n"
	rm /tmp/mfa.png
	else
	printf "\nMFA Device failed to get set up\n"
	rm /tmp/mfa.png

	export AWS_ACCESS_KEY_ID=$original_access
	export AWS_SECRET_ACCESS_KEY=$original_secret

	aws iam delete-access-key --access-key-id $(printf "%s" $new_key \| jq -e -r .AccessKeyId)
	aws iam delete-virtual-mfa-device --serial-number $mfa
	exit 2
	fi

	printf "Cleaning up\n"
	aws iam delete-access-key --access-key-id $original_access

	printf "\n\nNew credentials and MFA has been set up, all done!\n"