shinitiandrei/login_aws.sh

## login_aws.sh
#!/usr/bin/env bash

# This uses MFA devices to get temporary (eg 12 hour) credentials.  Requires
# a TTY for user input.
#
#

if [ ! -t 0 ]
then
  echo Must be on a tty >&2
  exit 255
fi

identity=$(aws sts get-caller-identity --profile mattr)
username=$(echo -- "$identity" | sed -n 's!.*"arn:aws:iam::.*:user/\(.*\)".*!\1!p')
if [ -z "$username" ]
then
  echo "Can not identify who you are.  Looking for a line like
    arn:aws:iam::.....:user/FOO_BAR
but did not find one in the output of
  aws sts get-caller-identity
$identity" >&2
  exit 255
fi

echo You are: $username >&2

mfa=$(aws iam list-mfa-devices --user-name "$username" --profile mattr)
device=$(echo -- "$mfa" | sed -n 's!.*"SerialNumber": "\(.*\)".*!\1!p')
if [ -z "$device" ]
then
  echo "Can not find any MFA device for you.  Looking for a SerialNumber
but did not find one in the output of
  aws iam list-mfa-devices --username \"$username\"
$mfa" >&2
  exit 255
fi

echo Your MFA device is: $device >&2

echo -n "Enter your MATTR GLOBAL MFA code now: " >&2
read code

tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code --profile mattr)

secret=$(echo -- "$tokens" | sed -n 's!.*"SecretAccessKey": "\(.*\)".*!\1!p')
session=$(echo -- "$tokens" | sed -n 's!.*"SessionToken": "\(.*\)".*!\1!p')
access=$(echo -- "$tokens" | sed -n 's!.*"AccessKeyId": "\(.*\)".*!\1!p')
expire=$(echo -- "$tokens" | sed -n 's!.*"Expiration": "\(.*\)".*!\1!p')

if [ -z "$secret" -o -z "$session" -o -z "$access" ]
then
  echo "Unable to get temporary credentials.  Could not find secret/access/session entries
$tokens" >&2
  exit 255
fi

echo 'Removing old mfa setting'
if [ $(uname -s) == "Linux" ]; then
  sed -i '/mfa/,/^$/d' ~/.aws/credentials
else
  sed -i '' '/mfa/,/^$/d' ~/.aws/credentials
fi

echo 'Removing old SSO platform setting'
if [ $(uname -s) == "Linux" ]; then
  sed -i '/profile/,/^$/d' ~/.aws/credentials
else
  sed -i '' '/profile/,/^$/d' ~/.aws/credentials
fi

echo 'Push new mfa token, key, id to credentials'
echo AWS_SESSION_TOKEN=$session
echo AWS_SECRET_ACCESS_KEY=$secret
echo AWS_ACCESS_KEY_ID=$access

echo [mattr-mfa] >> ~/.aws/credentials
echo aws_session_token=$session >> ~/.aws/credentials
echo aws_secret_access_key=$secret >> ~/.aws/credentials
echo aws_access_key_id=$access >> ~/.aws/credentials

echo Keys valid until $expire >&2

SERVICES_SSO_PROFILES_ARRAY=( $(grep  -o '^[[]profile .*-services' ~/.aws/config | cut -d" " -f2) )
KMS_SSO_PROFILES_ARRAY=( $(grep  -o '^[[]profile .*-kms' ~/.aws/config | cut -d" " -f2) )

[[ -z "$SERVICES_SSO_PROFILES_ARRAY" && -z "$KMS_SSO_PROFILES_ARRAY" ]] && echo "No SSO services profiles in ~/.aws/config" && exit 0

echo "Login to your FIRST SSO account using web browser"
sleep 2
aws sso login --profile "${SERVICES_SSO_PROFILES_ARRAY[0]}"
echo "Credentials cached"
SSO_ACCESS_TOKEN=$(grep 'mattrglobal.awsapps.com/start' ~/.aws/sso/cache/*.json | cut -d":" -f2- | jq .accessToken | tr -d '"')

for SSO_PROFILE in "${SERVICES_SSO_PROFILES_ARRAY[@]}"
do
  SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_account_id' | cut -d" " -f3)
  SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_role_name' | cut -d" " -f3)

  SSO_ROLE_CREDS=$(aws sso get-role-credentials \
    --region ap-southeast-2 \
    --role-name "$SSO_ROLE_NAME" \
    --account-id "$SSO_ACCOUNT_ID" \
    --access-token "$SSO_ACCESS_TOKEN" | jq .)

  SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.sessionToken)
  SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.accessKeyId)
  SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.secretAccessKey)

  echo "" >> ~/.aws/credentials
  echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
  echo "aws_session_token=$SSO_SESSION_TOKEN" | tr -d '"' >> ~/.aws/credentials
  echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" | tr -d '"' >> ~/.aws/credentials
  echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" | tr -d '"' >> ~/.aws/credentials
done;

for SSO_PROFILE in "${KMS_SSO_PROFILES_ARRAY[@]}"
do
  SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_account_id' | cut -d" " -f3)
  SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 | grep -m1 'sso_role_name' | cut -d" " -f3)

  SSO_ROLE_CREDS=$(aws sso get-role-credentials \
    --region ap-southeast-2 \
    --role-name "$SSO_ROLE_NAME" \
    --account-id "$SSO_ACCOUNT_ID" \
    --access-token "$SSO_ACCESS_TOKEN" | jq .)

  SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.sessionToken)
  SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.accessKeyId)
  SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" | jq .roleCredentials.secretAccessKey)

  echo "" >> ~/.aws/credentials
  echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
  echo "aws_session_token=$SSO_SESSION_TOKEN" | tr -d '"' >> ~/.aws/credentials
  echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" | tr -d '"' >> ~/.aws/credentials
  echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" | tr -d '"' >> ~/.aws/credentials
done;
	#!/usr/bin/env bash

	# This uses MFA devices to get temporary (eg 12 hour) credentials. Requires
	# a TTY for user input.
	#
	#

	if [ ! -t 0 ]
	then
	echo Must be on a tty >&2
	exit 255
	fi

	identity=$(aws sts get-caller-identity --profile mattr)
	username=$(echo -- "$identity" \| sed -n 's!."arn:aws:iam::.:user/\(.\)".!\1!p')
	if [ -z "$username" ]
	then
	echo "Can not identify who you are. Looking for a line like
	arn:aws:iam::.....:user/FOO_BAR
	but did not find one in the output of
	aws sts get-caller-identity
	$identity" >&2
	exit 255
	fi

	echo You are: $username >&2

	mfa=$(aws iam list-mfa-devices --user-name "$username" --profile mattr)
	device=$(echo -- "$mfa" \| sed -n 's!."SerialNumber": "\(.\)".*!\1!p')
	if [ -z "$device" ]
	then
	echo "Can not find any MFA device for you. Looking for a SerialNumber
	but did not find one in the output of
	aws iam list-mfa-devices --username \"$username\"
	$mfa" >&2
	exit 255
	fi

	echo Your MFA device is: $device >&2

	echo -n "Enter your MATTR GLOBAL MFA code now: " >&2
	read code

	tokens=$(aws sts get-session-token --serial-number "$device" --token-code $code --profile mattr)

	secret=$(echo -- "$tokens" \| sed -n 's!."SecretAccessKey": "\(.\)".*!\1!p')
	session=$(echo -- "$tokens" \| sed -n 's!."SessionToken": "\(.\)".*!\1!p')
	access=$(echo -- "$tokens" \| sed -n 's!."AccessKeyId": "\(.\)".*!\1!p')
	expire=$(echo -- "$tokens" \| sed -n 's!."Expiration": "\(.\)".*!\1!p')

	if [ -z "$secret" -o -z "$session" -o -z "$access" ]
	then
	echo "Unable to get temporary credentials. Could not find secret/access/session entries
	$tokens" >&2
	exit 255
	fi

	echo 'Removing old mfa setting'
	if [ $(uname -s) == "Linux" ]; then
	sed -i '/mfa/,/^$/d' ~/.aws/credentials
	else
	sed -i '' '/mfa/,/^$/d' ~/.aws/credentials
	fi

	echo 'Removing old SSO platform setting'
	if [ $(uname -s) == "Linux" ]; then
	sed -i '/profile/,/^$/d' ~/.aws/credentials
	else
	sed -i '' '/profile/,/^$/d' ~/.aws/credentials
	fi

	echo 'Push new mfa token, key, id to credentials'
	echo AWS_SESSION_TOKEN=$session
	echo AWS_SECRET_ACCESS_KEY=$secret
	echo AWS_ACCESS_KEY_ID=$access

	echo [mattr-mfa] >> ~/.aws/credentials
	echo aws_session_token=$session >> ~/.aws/credentials
	echo aws_secret_access_key=$secret >> ~/.aws/credentials
	echo aws_access_key_id=$access >> ~/.aws/credentials

	echo Keys valid until $expire >&2

	SERVICES_SSO_PROFILES_ARRAY=( $(grep -o '^[[]profile .*-services' ~/.aws/config \| cut -d" " -f2) )
	KMS_SSO_PROFILES_ARRAY=( $(grep -o '^[[]profile .*-kms' ~/.aws/config \| cut -d" " -f2) )

	[[ -z "$SERVICES_SSO_PROFILES_ARRAY" && -z "$KMS_SSO_PROFILES_ARRAY" ]] && echo "No SSO services profiles in ~/.aws/config" && exit 0

	echo "Login to your FIRST SSO account using web browser"
	sleep 2
	aws sso login --profile "${SERVICES_SSO_PROFILES_ARRAY[0]}"
	echo "Credentials cached"
	SSO_ACCESS_TOKEN=$(grep 'mattrglobal.awsapps.com/start' ~/.aws/sso/cache/*.json \| cut -d":" -f2- \| jq .accessToken \| tr -d '"')

	for SSO_PROFILE in "${SERVICES_SSO_PROFILES_ARRAY[@]}"
	do
	SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_account_id' \| cut -d" " -f3)
	SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_role_name' \| cut -d" " -f3)

	SSO_ROLE_CREDS=$(aws sso get-role-credentials \
	--region ap-southeast-2 \
	--role-name "$SSO_ROLE_NAME" \
	--account-id "$SSO_ACCOUNT_ID" \
	--access-token "$SSO_ACCESS_TOKEN" \| jq .)

	SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.sessionToken)
	SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.accessKeyId)
	SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.secretAccessKey)

	echo "" >> ~/.aws/credentials
	echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
	echo "aws_session_token=$SSO_SESSION_TOKEN" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" \| tr -d '"' >> ~/.aws/credentials
	done;

	for SSO_PROFILE in "${KMS_SSO_PROFILES_ARRAY[@]}"
	do
	SSO_ACCOUNT_ID=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_account_id' \| cut -d" " -f3)
	SSO_ROLE_NAME=$(grep "$SSO_PROFILE" ~/.aws/config -A4 \| grep -m1 'sso_role_name' \| cut -d" " -f3)

	SSO_ROLE_CREDS=$(aws sso get-role-credentials \
	--region ap-southeast-2 \
	--role-name "$SSO_ROLE_NAME" \
	--account-id "$SSO_ACCOUNT_ID" \
	--access-token "$SSO_ACCESS_TOKEN" \| jq .)

	SSO_SESSION_TOKEN=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.sessionToken)
	SSO_ACCESS_KEY_ID=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.accessKeyId)
	SSO_SECRET_ACCESS_KEY=$(echo "$SSO_ROLE_CREDS" \| jq .roleCredentials.secretAccessKey)

	echo "" >> ~/.aws/credentials
	echo "[profile $SSO_PROFILE]" >> ~/.aws/credentials
	echo "aws_session_token=$SSO_SESSION_TOKEN" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_secret_access_key=$SSO_SECRET_ACCESS_KEY" \| tr -d '"' >> ~/.aws/credentials
	echo "aws_access_key_id=$SSO_ACCESS_KEY_ID" \| tr -d '"' >> ~/.aws/credentials
	done;