Last active
June 24, 2019 13:53
-
-
Save sprak3000/dc263d8b02abbaecaa2f8321b4b87a01 to your computer and use it in GitHub Desktop.
aws-vault yubikey fish shell helpers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a conversion of the helpers for bash for use in fish shell. | |
| # You can find the original bash code available at https://gist.github.com/chtorr/0ecc8fca27a4c5e186c636c262cc4757 | |
| # | |
| # You can either: | |
| # A. Place the entire block below into ~/.config/fish/config.fish | |
| # B. Place the YUBIKEY_PROFILE line into ~/.config/fish/config.fish and place the individual functions into files | |
| # (recommended). | |
| # e.g., ~/.config/fish/functions/_aws_unset.fish contains the body of the _aws_unset function below. | |
| # - install the Yubico authenticator app | |
| # - install ykman | |
| # - setup your yubikey as a virtual MFA device in AWS, and | |
| # - install and setup AWS vault | |
| # - place the following in your ~/.bash_profile (or whatever the appropriate profile file is) | |
| # - run source ~/.bash_profile or open a new shell | |
| # load temp AWS credentials in your current shell: `aws_auth <profile>` | |
| # login to AWS console with temp credentials: `aws_login <profile` | |
| # I also like to add the vault name to my shell prompt: \033[0;31m[\$AWS_VAULT]\033[0m | |
| # get the name of the profile from the output of `ykman oath list` | |
| set --universal YUBIKEY_PROFILE "REPLACE ME" | |
| function _aws_unset | |
| set --erase AWS_SESSION_TOKEN | |
| set --erase AWS_VAULT | |
| set --erase AWS_SECRET_ACCESS_KEY | |
| set --erase AWS_ACCESS_KEY_ID | |
| set --erase AWS_SECURITY_TOKEN | |
| end | |
| function _aws_check_profile --argument-names 'profilename' | |
| if test -z "$profilename" | |
| echo "Must pass aws-vault profile name" | |
| return 1 | |
| end | |
| grep -qw "^\[profile $profilename\]\$" < ~/.aws/config | |
| if test $status -gt 0 | |
| echo "Profile $profilename not found in aws config" | |
| return 1 | |
| end | |
| end | |
| function _aws_vault_export --argument-names 'profilename' | |
| aws-vault exec $profilename --session-ttl=12h -m (ykman oath code --single "$YUBIKEY_PROFILE" | awk '{print $NF}') -- env | grep "^AWS" | sed -e 's/^/set --global --export\ /' | sed -e 's/=/ /' | |
| end | |
| function aws_auth --argument-names 'profilename' | |
| _aws_check_profile $profilename | |
| if test $status -gt 0 | |
| return $status | |
| end | |
| _aws_unset | |
| for i in (_aws_vault_export $profilename) | |
| eval $i | |
| end | |
| end | |
| function aws_login --argument-names 'profilename' | |
| _aws_check_profile $profilename | |
| if test $status -gt 0 | |
| return $status | |
| end | |
| aws-vault login $profilename -t (ykman oath code --single "$YUBIKEY_PROFILE" | awk '{print $NF}') | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment