Created
April 23, 2017 18:28
-
-
Save rymir/36862bcb94b1302a4d94b3d7935d5125 to your computer and use it in GitHub Desktop.
A simple helper script to generate dynamic AWS credentials using vault, authenticating using LDAP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script: | |
| # - Authorises a user against vault using LDAP | |
| # - Generates AWS Access keys | |
| # - Sets AWS Access key environment variables in all known formats | |
| # - Writes ~/.aws/credentials | |
| # | |
| export VAULT_ADDR="https://YOUR_VAULT_HOSTNAME:8200" | |
| export VAULT_CAPATH="/tmp/internal-ca.pem" | |
| export LDAP_USERNAME=`whoami` | |
| cat << EOF > $VAULT_CAPATH | |
| <<INSERT CA CONTENTS HERE>> | |
| EOF | |
| which vault 2>&1 >> /dev/null | |
| if [ $? -ne 0 ] | |
| then | |
| echo "ERROR: vault command not in PATH" | |
| echo "Recommend installing vault via homebrew." | |
| exit 1 | |
| fi | |
| VAULT_MINIMUM_VERSION='0.3.1' | |
| VAULT_VERSION=`vault -v | cut -d v -f 2` | |
| VAULT_VERSION_INTEGER=`echo $VAULT_VERSION | sed 's/\.//g'` | |
| VAULT_MINIMUM_VERSION_INTEGER=`echo $VAULT_MINIMUM_VERSION | sed 's/\.//g'` | |
| if [ ! $VAULT_VERSION_INTEGER -ge $VAULT_MINIMUM_VERSION_INTEGER ] | |
| then | |
| echo "ERROR: The minimum required verison of vault is $VAULT_MINIMUM_VERSION but the installed version is $VAULT_VERSION" | |
| echo "Try:" | |
| echo "brew update && brew upgrade vault" | |
| exit 1 | |
| fi | |
| ROLENAME="engineering" | |
| if [ $# -eq 1 ] | |
| then | |
| ROLENAME=$1 | |
| fi | |
| echo "AWS Credential Generation" | |
| echo -n "LDAP Password (Hidden): " | |
| vault auth -method=ldap username=$LDAP_USERNAME > /tmp/vault_auth | |
| AUTH_STATUS=$? | |
| echo "" | |
| echo "" | |
| VAULT_TOKEN="`cat /tmp/vault_auth | grep 'token:' | awk '{print $2}'`" | |
| cat /tmp/vault_auth | |
| rm /tmp/vault_auth | |
| if [ $AUTH_STATUS -eq 0 ] | |
| then | |
| vault read aws/creds/$ROLENAME > /tmp/creds | |
| echo "" | |
| cat /tmp/creds | |
| echo "" | |
| echo "Exporting environment variables...." | |
| export aws_access_key_id="`cat /tmp/creds | grep access_key | awk '{print $2}'`" | |
| export aws_secret_access_key="`cat /tmp/creds | grep secret_key | awk '{print $2}'`" | |
| export AWS_ACCESS_KEY_ID=$aws_access_key_id | |
| export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key | |
| export AWS_ACCESS_KEY=$aws_access_key_id | |
| export AWS_SECRET_KEY=$aws_secret_access_key | |
| if [ ! -d ~/.aws ] | |
| then | |
| mkdir ~/.aws | |
| fi | |
| echo "Writing ~/.aws/credentials...." | |
| echo "Done!" | |
| cat << EOF > ~/.aws/credentials | |
| [default] | |
| aws_access_key_id=$AWS_ACCESS_KEY_ID | |
| aws_secret_access_key=$AWS_SECRET_ACCESS_KEY | |
| access_key=$AWS_ACCESS_KEY_ID | |
| secret_key=$AWS_SECRET_ACCESS_KEY | |
| EOF | |
| rm /tmp/creds | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment