Last active
February 19, 2020 16:19
-
-
Save nicojust/03c78b439ff83de381c15b858570d3fa to your computer and use it in GitHub Desktop.
AWS - regenerate_mfa_profile.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eo pipefail | |
| # Required arguments | |
| TOKEN_CODE="" | |
| USER_NAME="" | |
| DEFAULT_PROFILE="" | |
| # Default Values | |
| AWS_MFA_PROFILE_NAME="mfa" | |
| AWS_SESSION_DURATION="43200" # 12 Hours (default); Possible Values 900 - 129600 (15m - 36h) | |
| AWS_REGION="eu-central-1" | |
| # Used to generate aws profile | |
| ACCESS_KEY_ID="" | |
| SECRET_ACCESS_KEY="" | |
| SESSION_TOKEN="" | |
| ARN_SERIAL_NUMBER="" | |
| # Options | |
| debug=false | |
| usage="$(basename "$0") [-h] -- program to regenerate the aws profile for mfa | |
| semi optional arguments are marked with * | |
| arguments: | |
| 1) TOKEN_CODE of the arn device (required) | |
| 2)* USER_NAME to retrieve your arn serial number (optional if env variable AWS_ARN_SERIAL_NUMBER is set) | |
| 3)* DEFAULT_PROFILE to retrieve your arn serial number (optional if env variable AWS_PROFILE is set) | |
| options: | |
| -h show this help text | |
| -d show debug info" | |
| while getopts "hd" options; do | |
| case "$options" in | |
| h) | |
| echo "$usage" | |
| exit 0 | |
| ;; | |
| d) | |
| debug=true | |
| ;; | |
| *) | |
| echo "$usage" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| shift $((OPTIND - 1)) | |
| function required_arguments_given() { | |
| if [ -z "$1" ]; then | |
| echo "Token Code from your MFA Decive is required." | |
| exit 1 | |
| fi | |
| TOKEN_CODE="$1" | |
| if [[ -z "$2" && -n "$AWS_ARN_SERIAL_NUMBER" ]]; then | |
| ARN_SERIAL_NUMBER="$AWS_ARN_SERIAL_NUMBER" | |
| elif [[ -z "$2" && -z "$AWS_ARN_SERIAL_NUMBER" || -z "$2" ]]; then | |
| echo "The AWS Serial Number is required. You can specify the default as environment variable or supply it as second argument." | |
| echo "export AWS_ARN_SERIAL_NUMBER=\"<your-arn-serial-number>\"" | |
| exit 1 | |
| else | |
| USER_NAME="$2" | |
| fi | |
| if [[ -z "$3" && -n "$AWS_PROFILE" ]]; then | |
| DEFAULT_PROFILE="$AWS_PROFILE" | |
| elif [[ -z "$3" && -z "$AWS_PROFILE" || -z "$3" ]]; then | |
| echo "Default Profile could not be determined or was not set. You can specify the default as environment variable or supply it as third argument." | |
| echo "export AWS_PROFILE=\"<your-aws-profile>\"" | |
| exit 1 | |
| else | |
| DEFAULT_PROFILE="$3" | |
| fi | |
| } | |
| function aws_cli_installed() { | |
| if ! [ -x "$(command -v aws)" ]; then | |
| echo "AWS CLI is not installed" | |
| exit 1 | |
| fi | |
| } | |
| function jq_installed() { | |
| if ! [ -x "$(command -v jq)" ]; then | |
| echo "jq is not installed" | |
| exit 1 | |
| fi | |
| } | |
| function regenerate_aws_mfa_profile() { | |
| local ACCESS_KEY_ID=$1 | |
| local SECRET_ACCESS_KEY=$2 | |
| local SESSION_TOKEN=$3 | |
| local AWS_MFA_PROFILE_NAME=$4 | |
| aws configure set aws_access_key_id "$ACCESS_KEY_ID" --profile "$AWS_MFA_PROFILE_NAME" | |
| aws configure set aws_secret_access_key "$SECRET_ACCESS_KEY" --profile "$AWS_MFA_PROFILE_NAME" | |
| aws configure set aws_session_token "$SESSION_TOKEN" --profile "$AWS_MFA_PROFILE_NAME" | |
| aws configure set region "$AWS_REGION" --profile "$AWS_MFA_PROFILE_NAME" | |
| echo "Regenerated profile for $AWS_MFA_PROFILE_NAME. Use --profile \"$AWS_MFA_PROFILE_NAME\"" | |
| } | |
| function fetch_mfa_device() { | |
| local OUTPUT | |
| local USER_NAME="$1" | |
| local DEFAULT_PROFILE="$2" | |
| OUTPUT=$(aws iam list-mfa-devices --user-name "$USER_NAME" --profile "$DEFAULT_PROFILE" --output json) | |
| ARN_SERIAL_NUMBER=$(echo "$OUTPUT" | jq --raw-output '.MFADevices[0].SerialNumber') | |
| } | |
| function retrieve_credentials() { | |
| local OUTPUT | |
| echo "Using $ARN_SERIAL_NUMBER to retrieve credentials" | |
| OUTPUT=$(aws sts get-session-token --serial-number "$ARN_SERIAL_NUMBER" --token-code "$TOKEN_CODE" --duration-seconds "$AWS_SESSION_DURATION" --profile "$DEFAULT_PROFILE" --output json) | |
| ACCESS_KEY_ID=$(echo "$OUTPUT" | jq --raw-output '.Credentials.AccessKeyId') | |
| SECRET_ACCESS_KEY=$(echo "$OUTPUT" | jq --raw-output '.Credentials.SecretAccessKey') | |
| SESSION_TOKEN=$(echo "$OUTPUT" | jq --raw-output '.Credentials.SessionToken') | |
| } | |
| # Start | |
| aws_cli_installed | |
| jq_installed | |
| required_arguments_given "$@" | |
| if [[ -z "$ARN_SERIAL_NUMBER" ]]; then | |
| fetch_mfa_device "$USER_NAME" "$DEFAULT_PROFILE" | |
| fi | |
| if [[ "$debug" == true ]]; then | |
| echo "TOKEN_CODE: $TOKEN_CODE" | |
| echo "ARN_SERIAL_NUMBER: $ARN_SERIAL_NUMBER" | |
| echo "USER_NAME: $USER_NAME" | |
| echo "DEFAULT_PROFILE: $DEFAULT_PROFILE" | |
| exit 0 | |
| fi | |
| retrieve_credentials | |
| regenerate_aws_mfa_profile "$ACCESS_KEY_ID" "$SECRET_ACCESS_KEY" "$SESSION_TOKEN" "$AWS_MFA_PROFILE_NAME" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment