skehlet/aws-role

## aws-role
#!/bin/bash
#
# Wrapper for any AWS-related command using aws that handles the 1 hour MFA token.
#
# Create an aws-role.config.json file in the same directory as this script that looks like:
# {
#     "spoke-account": {
#         "profile": "hub",
#         "region": "us-west-2",
#         "mfa_arn": "<your-mfa-arn>",
#         "role_arn": "<your-assume-role-ARN>"
#     }
# }
#
# Also update your ~/.aws/config and ~/.aws/credentials with a "hub" profile:
#
# ~/.aws/config:
# [profile hub]
# region = us-west-2
#
# ~/.aws/credentials:
# [hub]
# aws_access_key_id = <your-hub-access-key-id>
# aws_secret_access_key = <your-hub-secret-access-key>
#
# You can either run this script and provide the account name as the first argument,
# or you can make a symlink using the account name to this script.
#
set -e

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
unset AWS_DEFAULT_REGION
unset AWS_DEFAULT_OUTPUT
unset AWS_PROFILE
unset AWS_CA_BUNDLE
unset AWS_SHARED_CREDENTIALS_FILE
unset AWS_CONFIG_FILE

my_name=$(basename $0)
if [[ $my_name != "aws-role" ]]; then
    account=$my_name
else
    account=$1
    shift
fi

config=$(dirname $0)/aws-role.config.json
env_var_cache=~/.aws/.aws-role.env.${account}

if ! aws_profile=$(jq -r ".\"${account}\".profile" < $config) \
    || ! aws_default_region=$(jq -r ".\"${account}\".region" < $config) \
    || ! mfa_arn=$(jq -r ".\"${account}\".mfa_arn" < $config) \
    || ! role_arn=$(jq -r ".\"${account}\".role_arn" < $config)
then
    echo "Missing or incomplete config for account $account. Please update your $config"
    exit 1
fi

file_age() {
    case "$(uname)" in
    Darwin) stat -t %s -f %m -- "$1" 2>/dev/null ;;
    Linux) date +%s -r "$1" 2>/dev/null ;;
    *) echo "unknown platform"; exit 1 ;;
    esac
}

if [[ $(( $(file_age $env_var_cache) + 3540)) -lt $(date +%s) ]]; then
    tmpfile=$(mktemp)
    trap 'rm -f $tmpfile' EXIT

    read -p "MFA code: " code

    env \
        AWS_PROFILE=$aws_profile \
        AWS_DEFAULT_REGION=$aws_default_region \
        aws sts get-session-token --serial-number "$mfa_arn" --token-code "$code" > $tmpfile
    aws_access_key_id=$(jq -r '.Credentials.AccessKeyId' < $tmpfile)
    aws_secret_access_key=$(jq -r '.Credentials.SecretAccessKey' < $tmpfile)
    aws_session_token=$(jq -r '.Credentials.SessionToken' < $tmpfile)

    env \
        AWS_ACCESS_KEY_ID=$aws_access_key_id \
        AWS_SECRET_ACCESS_KEY=$aws_secret_access_key \
        AWS_SESSION_TOKEN=$aws_session_token \
        aws sts assume-role --role-arn $role_arn --role-session-name $(date +%s) > $tmpfile
    aws_access_key_id=$(jq -r '.Credentials.AccessKeyId' < $tmpfile)
    aws_secret_access_key=$(jq -r '.Credentials.SecretAccessKey' < $tmpfile)
    aws_session_token=$(jq -r '.Credentials.SessionToken' < $tmpfile)

    cat > $env_var_cache <<EOF
export AWS_ACCESS_KEY_ID=$aws_access_key_id
export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key
export AWS_SESSION_TOKEN=$aws_session_token
EOF
fi

source $env_var_cache

exec "$@"
	#!/bin/bash
	#
	# Wrapper for any AWS-related command using aws that handles the 1 hour MFA token.
	#
	# Create an aws-role.config.json file in the same directory as this script that looks like:
	# {
	# "spoke-account": {
	# "profile": "hub",
	# "region": "us-west-2",
	# "mfa_arn": "<your-mfa-arn>",
	# "role_arn": "<your-assume-role-ARN>"
	# }
	# }
	#
	# Also update your ~/.aws/config and ~/.aws/credentials with a "hub" profile:
	#
	# ~/.aws/config:
	# [profile hub]
	# region = us-west-2
	#
	# ~/.aws/credentials:
	# [hub]
	# aws_access_key_id = <your-hub-access-key-id>
	# aws_secret_access_key = <your-hub-secret-access-key>
	#
	# You can either run this script and provide the account name as the first argument,
	# or you can make a symlink using the account name to this script.
	#
	set -e

	unset AWS_ACCESS_KEY_ID
	unset AWS_SECRET_ACCESS_KEY
	unset AWS_SESSION_TOKEN
	unset AWS_DEFAULT_REGION
	unset AWS_DEFAULT_OUTPUT
	unset AWS_PROFILE
	unset AWS_CA_BUNDLE
	unset AWS_SHARED_CREDENTIALS_FILE
	unset AWS_CONFIG_FILE

	my_name=$(basename $0)
	if [[ $my_name != "aws-role" ]]; then
	account=$my_name
	else
	account=$1
	shift
	fi

	config=$(dirname $0)/aws-role.config.json
	env_var_cache=~/.aws/.aws-role.env.${account}

	if ! aws_profile=$(jq -r ".\"${account}\".profile" < $config) \
	\|\| ! aws_default_region=$(jq -r ".\"${account}\".region" < $config) \
	\|\| ! mfa_arn=$(jq -r ".\"${account}\".mfa_arn" < $config) \
	\|\| ! role_arn=$(jq -r ".\"${account}\".role_arn" < $config)
	then
	echo "Missing or incomplete config for account $account. Please update your $config"
	exit 1
	fi

	file_age() {
	case "$(uname)" in
	Darwin) stat -t %s -f %m -- "$1" 2>/dev/null ;;
	Linux) date +%s -r "$1" 2>/dev/null ;;
	*) echo "unknown platform"; exit 1 ;;
	esac
	}

	if [[ $(( $(file_age $env_var_cache) + 3540)) -lt $(date +%s) ]]; then
	tmpfile=$(mktemp)
	trap 'rm -f $tmpfile' EXIT

	read -p "MFA code: " code

	env \
	AWS_PROFILE=$aws_profile \
	AWS_DEFAULT_REGION=$aws_default_region \
	aws sts get-session-token --serial-number "$mfa_arn" --token-code "$code" > $tmpfile
	aws_access_key_id=$(jq -r '.Credentials.AccessKeyId' < $tmpfile)
	aws_secret_access_key=$(jq -r '.Credentials.SecretAccessKey' < $tmpfile)
	aws_session_token=$(jq -r '.Credentials.SessionToken' < $tmpfile)

	env \
	AWS_ACCESS_KEY_ID=$aws_access_key_id \
	AWS_SECRET_ACCESS_KEY=$aws_secret_access_key \
	AWS_SESSION_TOKEN=$aws_session_token \
	aws sts assume-role --role-arn $role_arn --role-session-name $(date +%s) > $tmpfile
	aws_access_key_id=$(jq -r '.Credentials.AccessKeyId' < $tmpfile)
	aws_secret_access_key=$(jq -r '.Credentials.SecretAccessKey' < $tmpfile)
	aws_session_token=$(jq -r '.Credentials.SessionToken' < $tmpfile)

	cat > $env_var_cache <<EOF
	export AWS_ACCESS_KEY_ID=$aws_access_key_id
	export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key
	export AWS_SESSION_TOKEN=$aws_session_token
	EOF
	fi

	source $env_var_cache

	exec "$@"