Skip to content

Instantly share code, notes, and snippets.

@newmaniese
Last active March 23, 2016 18:12
Show Gist options
  • Save newmaniese/c1484f6a9e2b8d44d0b6 to your computer and use it in GitHub Desktop.
Save newmaniese/c1484f6a9e2b8d44d0b6 to your computer and use it in GitHub Desktop.
One of our issues with AWS IAM users is that a super user needs to distribute keys and can't guarantee that a user will get to setting up their MFA. We force them to run this before granting the IAM user any more than "Onboarding" Permissions.
#! /bin/bash
WAITTIME=15
printf "This script will secure your profile in AWS, by\n"
printf " * creating keys that only you have\n"
printf " * removing the ones that you don't\n"
printf " * creating an Virtual MFA Device for authentication\n\n\n"
has_aws_installed=$(command -v aws)
has_jq_installed=$(command -v jq)
if [ -z $has_aws_installed ]; then
has_brew_installed=$(command -v brew)
if [ -z $has_brew_installed ]; then
printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
exit 2
fi
printf "Installing AWS CLI\n"
brew install awscli
fi
if [ -z $has_jq_installed ]; then
has_brew_installed=$(command -v brew)
if [ -z $has_brew_installed ]; then
printf "Please install brew to your system, or manually install AWSCLI and JQ\n"
exit 2
fi
printf "Installing JQ\n"
brew install jq
fi
read -r -p "Start by giving me your AWS ACCESS KEY ID: " original_access
read -r -p "Now your AWS SECRET ACCESS KEY: " original_secret
export AWS_ACCESS_KEY_ID=$original_access
export AWS_SECRET_ACCESS_KEY=$original_secret
username=$(aws iam get-user | jq -e -r '.User.UserName')
if [ $? -ne 0 ]; then
printf "Keys do not appear valid\n"
exit 2
fi
if [ -n $username ]; then
printf 'Keys have been verified for user "%s"\n\n' $username
else
printf "Keys do not appear valid, check your keys and ask your administrators for proper permissions\n"
exit 2
fi
len=$(aws iam list-access-keys | jq -e -r '.AccessKeyMetadata|length')
if [ $len -ne 1 ]; then
printf "You appear to have too many keys, please contact your administrator\n"
exit 2
fi
read -r -p "Name this profile (one word, minimum 6 characters): " profile
if [ ${#profile} -le 5 ]; then
printf "I said 6 characters minimum\n"
exit 2
fi
new_key=$(aws iam create-access-key | jq -e -r .AccessKey)
if [ $? -eq 0 ]; then
printf "New keys generated!\n\n"
else
printf "Couldn't get new keys from AWS\n"
exit 2
fi
export AWS_ACCESS_KEY_ID=$(printf "%s" $new_key | jq -e -r .AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(printf "%s" $new_key | jq -e -r .SecretAccessKey)
printf "Waiting for creds to sync."
new_user=$(aws iam get-user 2>/dev/null)
while [ "$username" != "$(printf "%s" $new_user | jq -e -r '.User.UserName')" ]; do
n=1
while [ $n -lt $WAITTIME ]; do
sleep 1
printf "."
n=$((n+1))
done
new_user=$(aws iam get-user 2>/dev/null)
done
printf "\n"
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile $profile
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile $profile
aws configure set region us-east-1 --profile $profile
aws configure set output json --profile $profile
printf "New keys are stored in your AWS Config\n\n"
mfa=$(aws iam create-virtual-mfa-device --virtual-mfa-device-name $username --bootstrap-method QRCodePNG --outfile /tmp/mfa.png | jq -e -r '.VirtualMFADevice.SerialNumber')
if [ $? -ne 0 ]; then
printf "Problem creating Virtual MFA Device\n"
export AWS_ACCESS_KEY_ID=$original_access
export AWS_SECRET_ACCESS_KEY=$original_secret
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
exit 2
fi
if [ -f /tmp/mfa.png ]; then
printf "Now I will open a QR code, scan this with an MFA device, like authy.com\n"
read -n1 -r -p "Press any key to continue..." key
qlmanage -p /tmp/mfa.png >& /dev/null
else
printf "Problem generating MFA QR code\n"
export AWS_ACCESS_KEY_ID=$original_access
export AWS_SECRET_ACCESS_KEY=$original_secret
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
exit 2
fi
printf "\n\n\nYou now should have your MFA device giving you codes, I need the next 2 6 digit numbers that come up\n"
read -n6 -r -p "Authorization code 1: " auth1
printf "\n"
read -n6 -r -p "Authorization code 2: " auth2
aws iam enable-mfa-device --serial-number $mfa --user-name $username --authentication-code-1 $auth1 --authentication-code-2 $auth2
if [ $? -eq 0 ]; then
printf "\nMFA Device has been set up\n"
rm /tmp/mfa.png
else
printf "\nMFA Device failed to get set up\n"
rm /tmp/mfa.png
export AWS_ACCESS_KEY_ID=$original_access
export AWS_SECRET_ACCESS_KEY=$original_secret
aws iam delete-access-key --access-key-id $(printf "%s" $new_key | jq -e -r .AccessKeyId)
aws iam delete-virtual-mfa-device --serial-number $mfa
exit 2
fi
printf "Cleaning up\n"
aws iam delete-access-key --access-key-id $original_access
printf "\n\nNew credentials and MFA has been set up, all done!\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment