Skip to content

Instantly share code, notes, and snippets.

@pjaudiomv
Last active March 12, 2024 02:45
Show Gist options
  • Save pjaudiomv/65b8fb0875759778083dadbd4be7adbf to your computer and use it in GitHub Desktop.
Save pjaudiomv/65b8fb0875759778083dadbd4be7adbf to your computer and use it in GitHub Desktop.
Get EC2 Assume Role STS Creds and set them locally - useful for testing ec2 role or when you have ssh access to an ec2 but no aws credential accesss
#!/usr/bin/env bash
# Fetches AWS credentials from a EC2 IAM role and configures them locally.
# Script expects input parameter to be a named Host in your SSH config, then sets AWS creds name using that Host name.
#
# Configuration
# Check for SSH_CONFIG_FILE env var then default to users home dir
SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config}"
# ANSI color codes for pretty output
YELLOW='\033[1;93m'
GREEN='\033[1;92m'
WHITE='\033[1;97m'
RESET='\033[0m'
# Function to display usage information
usage() {
echo -e "\n${WHITE}Usage:${RESET} aws-assumerole <ssh-host-to-assume>"
echo -e "${WHITE}Example:${RESET} aws-assumerole dev-bastion"
echo -e "${YELLOW}Available hosts from ${SSH_CONFIG_FILE}:${RESET}"
grep 'Host ' "$SSH_CONFIG_FILE" | awk -F ' ' '{print " "$2}' | sort | uniq
exit 1
}
# Function to run curl
run_curl() {
local SSH_CMD=$1
local TOKEN=$2
local URL=$3
local METHOD="${4:-GET}"
local HEADER="${5:-X-aws-ec2-metadata-token: $TOKEN}"
TOKEN=$($SSH_CMD "curl -sL -X $METHOD -H \"$HEADER\" http://169.254.169.254/latest$URL")
echo "$TOKEN"
}
# Function to fetch AWS credentials
fetch_aws_credentials() {
local SSH_CMD="$1"
local PROFILE="$2"
echo -en "\n${YELLOW}Fetching AWS credentials for $PROFILE${RESET} ."
TOKEN=$(run_curl "$SSH_CMD" "" "/api/token" "PUT" "X-aws-ec2-metadata-token-ttl-seconds: 21600")
echo -n "."
AWS_IAM_ROLE=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/iam/security-credentials/")
echo -n "."
AWS_CREDENTIALS_JSON=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/iam/security-credentials/$AWS_IAM_ROLE/")
echo -n "."
AWS_ACCESS_KEY_ID=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.AccessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.SecretAccessKey')
AWS_SESSION_TOKEN=$(echo "$AWS_CREDENTIALS_JSON" | jq -r '.Token')
AWS_AZ=$(run_curl "$SSH_CMD" "$TOKEN" "/meta-data/placement/availability-zone")
echo "."
AWS_REGION="${AWS_AZ%?}"
echo -e " ${WHITE}AWS_IAM_ROLE:${RESET} $AWS_IAM_ROLE" \
" ${WHITE}AWS_REGION:${RESET} $AWS_REGION" \
" ${WHITE}AWS_AZ:${RESET} $AWS_AZ"
aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile "$PROFILE"
aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile "$PROFILE"
aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile "$PROFILE"
aws configure set region "$AWS_REGION" --profile "$PROFILE"
echo -e "${GREEN}AWS credentials configured for $PROFILE.${RESET}"
}
# Function to check dependencies
check_dependencies() {
local dependencies=("jq" "aws")
local missing_deps=()
for dep in "${dependencies[@]}"; do
if ! command -v "$dep" &> /dev/null; then
missing_deps+=("$dep")
fi
done
if [ ${#missing_deps[@]} -ne 0 ]; then
echo "The following required dependencies are missing:"
for dep in "${missing_deps[@]}"; do
echo " - $dep"
done
exit 1
fi
}
# Main function
main() {
check_dependencies
[ $# != 1 ] && usage
local SSH_CMD="ssh -F $SSH_CONFIG_FILE $1"
fetch_aws_credentials "$SSH_CMD" "$1" && exit 0
exit 1
}
main "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment