Last active
March 12, 2024 02:45
-
-
Save pjaudiomv/65b8fb0875759778083dadbd4be7adbf to your computer and use it in GitHub Desktop.
Get EC2 Assume Role STS Creds and set them locally - useful for testing ec2 role or when you have ssh access to an ec2 but no aws credential accesss
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Fetches AWS credentials from a EC2 IAM role and configures them locally. | |
# Script expects input parameter to be a named Host in your SSH config, then sets AWS creds name using that Host name. | |
# | |
# Configuration | |
# Check for SSH_CONFIG_FILE env var then default to users home dir | |
SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config}" | |
# ANSI color codes for pretty output | |
YELLOW='\033[1;93m' | |
GREEN='\033[1;92m' | |
WHITE='\033[1;97m' | |
RESET='\033[0m' | |
# Function to display usage information | |
usage() { | |
echo -e "\n${WHITE}Usage:${RESET} aws-assumerole <ssh-host-to-assume>" | |
echo -e "${WHITE}Example:${RESET} aws-assumerole dev-bastion" | |
echo -e "${YELLOW}Available hosts from ${SSH_CONFIG_FILE}:${RESET}" | |
grep 'Host ' "$SSH_CONFIG_FILE" | awk -F ' ' '{print " "$2}' | sort | uniq | |
exit 1 | |
} | |
# Function to run curl | |
run_curl() { | |
local SSH_CMD=$1 | |
local TOKEN=$2 | |
local URL=$3 | |
local METHOD="${4:-GET}" | |
local HEADER="${5:-X-aws-ec2-metadata-token: $TOKEN}" | |
TOKEN=$($SSH_CMD "curl -sL -X $METHOD -H \"$HEADER\" http://169.254.169.254/latest$URL") | |
echo "$TOKEN" | |
} | |
# Function to fetch AWS credentials | |
fetch_aws_credentials() { | |
local SSH_CMD="$1" | |
local PROFILE="$2" | |
echo -en "\n${YELLOW}Fetching AWS credentials for $PROFILE${RESET} ." | |
TOKEN=$(run_curl "$SSH_CMD" "" "/api/token" "PUT" "X-aws-ec2-metadata-token-ttl-seconds: 21600") | |
echo -n "." | |
AWS_IAM_ROLE=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/iam/security-credentials/") | |
echo -n "." | |
AWS_CREDENTIALS_JSON=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/iam/security-credentials/$AWS_IAM_ROLE/") | |
echo -n "." | |
AWS_ACCESS_KEY_ID=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.AccessKeyId') | |
AWS_SECRET_ACCESS_KEY=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.SecretAccessKey') | |
AWS_SESSION_TOKEN=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.Token') | |
AWS_AZ=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/placement/availability-zone") | |
echo "." | |
AWS_REGION="${AWS_AZ%?}" | |
echo -e " ${WHITE}AWS_IAM_ROLE:${RESET} $AWS_IAM_ROLE" \ | |
" ${WHITE}AWS_REGION:${RESET} $AWS_REGION" \ | |
" ${WHITE}AWS_AZ:${RESET} $AWS_AZ" | |
aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile "$PROFILE" | |
aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile "$PROFILE" | |
aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile "$PROFILE" | |
aws configure set region "$AWS_REGION" --profile "$PROFILE" | |
echo -e "${GREEN}AWS credentials configured for $PROFILE.${RESET}" | |
} | |
# Function to check dependencies | |
check_dependencies() { | |
local dependencies=("jq" "aws") | |
local missing_deps=() | |
for dep in "${dependencies[@]}"; do | |
if ! command -v "$dep" &> /dev/null; then | |
missing_deps+=("$dep") | |
fi | |
done | |
if [ ${#missing_deps[@]} -ne 0 ]; then | |
echo "The following required dependencies are missing:" | |
for dep in "${missing_deps[@]}"; do | |
echo " - $dep" | |
done | |
exit 1 | |
fi | |
} | |
# Main function | |
main() { | |
check_dependencies | |
[ $# != 1 ] && usage | |
local SSH_CMD="ssh -F $SSH_CONFIG_FILE $1" | |
fetch_aws_credentials "$SSH_CMD" "$1" && exit 0 | |
exit 1 | |
} | |
main "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment