Created
November 28, 2018 23:47
-
-
Save nickovs/a2f02bff30538d977048e21064d21866 to your computer and use it in GitHub Desktop.
Easy sessions credentials for Amazon Web Services when multi-factor authentication is required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
"""Fetch and print temporary session credentials with MFA | |
To use this tool first put the ARN of your MFA access token into a | |
file called .aws_token_id in your home directory and ensure that the | |
tool is on your path. Then execute the command: | |
eval `aws-session` | |
You will be promoted to enter your current MFA token value. After this | |
you should be able to run AWS CLI operations even when the policy that | |
gives you access to the necessary functions requires MFA. | |
""" | |
ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID" | |
SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY" | |
SESSION_TOKEN = "AWS_SESSION_TOKEN" | |
import os | |
from os import environ as env | |
import sys | |
import boto3 | |
import botocore | |
import argparse | |
# Clear out any stale session credentials | |
for k in [ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN]: | |
if k in env: | |
del env[k] | |
def input_on_stderr(prompt): | |
old_stdout = sys.stdout | |
sys.stdout = sys.stderr | |
r = input(prompt) | |
sys.stdout = old_stdout | |
return r | |
def print_access_environment(token_serial, token_code): | |
client = boto3.client('sts') | |
try: | |
reply = client.get_session_token(SerialNumber=token_serial, TokenCode=token_code) | |
except botocore.exceptions.ClientError as client_error: | |
print(client_error, file=sys.stderr) | |
return | |
creds = reply['Credentials'] | |
print("export {}={}".format(ACCESS_KEY_ID, creds['AccessKeyId'])) | |
print("export {}={}".format(SECRET_ACCESS_KEY, creds['SecretAccessKey'])) | |
print("export {}={}".format(SESSION_TOKEN, creds['SessionToken'])) | |
def main(): | |
parser = argparse.ArgumentParser(description='Fetch AWS session credentials with MFA') | |
parser.add_argument("-f", "--token-file", metavar="FILE", | |
default="~/.aws_token_id", | |
help="File from which to read the MFA token ID (ARN)") | |
parser.add_argument("-t", "--token-id", metavar="ARN", | |
help="Secify MFA token ID as an ARN") | |
parser.add_argument("-c", "--code", metavar="CODE", | |
help="Provide current token code on command line") | |
args = parser.parse_args() | |
if args.token_id: | |
token_id = args.token_id | |
else: | |
token_id = open(os.path.expanduser(args.token_file), "r").read().strip() | |
if args.code: | |
code = args.code | |
else: | |
code = input_on_stderr("Enter your current token code: ") | |
print_access_environment(token_id, code) | |
if __name__=="__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment