Skip to content

Instantly share code, notes, and snippets.

@sprak3000
Last active June 24, 2019 13:53
Show Gist options
  • Save sprak3000/dc263d8b02abbaecaa2f8321b4b87a01 to your computer and use it in GitHub Desktop.
Save sprak3000/dc263d8b02abbaecaa2f8321b4b87a01 to your computer and use it in GitHub Desktop.
aws-vault yubikey fish shell helpers
# This is a conversion of the helpers for bash for use in fish shell.
# You can find the original bash code available at https://gist.github.com/chtorr/0ecc8fca27a4c5e186c636c262cc4757
#
# You can either:
# A. Place the entire block below into ~/.config/fish/config.fish
# B. Place the YUBIKEY_PROFILE line into ~/.config/fish/config.fish and place the individual functions into files
# (recommended).
# e.g., ~/.config/fish/functions/_aws_unset.fish contains the body of the _aws_unset function below.
# - install the Yubico authenticator app
# - install ykman
# - setup your yubikey as a virtual MFA device in AWS, and
# - install and setup AWS vault
# - place the following in your ~/.bash_profile (or whatever the appropriate profile file is)
# - run source ~/.bash_profile or open a new shell
# load temp AWS credentials in your current shell: `aws_auth <profile>`
# login to AWS console with temp credentials: `aws_login <profile`
# I also like to add the vault name to my shell prompt: \033[0;31m[\$AWS_VAULT]\033[0m
# get the name of the profile from the output of `ykman oath list`
set --universal YUBIKEY_PROFILE "REPLACE ME"
function _aws_unset
set --erase AWS_SESSION_TOKEN
set --erase AWS_VAULT
set --erase AWS_SECRET_ACCESS_KEY
set --erase AWS_ACCESS_KEY_ID
set --erase AWS_SECURITY_TOKEN
end
function _aws_check_profile --argument-names 'profilename'
if test -z "$profilename"
echo "Must pass aws-vault profile name"
return 1
end
grep -qw "^\[profile $profilename\]\$" < ~/.aws/config
if test $status -gt 0
echo "Profile $profilename not found in aws config"
return 1
end
end
function _aws_vault_export --argument-names 'profilename'
aws-vault exec $profilename --session-ttl=12h -m (ykman oath code --single "$YUBIKEY_PROFILE" | awk '{print $NF}') -- env | grep "^AWS" | sed -e 's/^/set --global --export\ /' | sed -e 's/=/ /'
end
function aws_auth --argument-names 'profilename'
_aws_check_profile $profilename
if test $status -gt 0
return $status
end
_aws_unset
for i in (_aws_vault_export $profilename)
eval $i
end
end
function aws_login --argument-names 'profilename'
_aws_check_profile $profilename
if test $status -gt 0
return $status
end
aws-vault login $profilename -t (ykman oath code --single "$YUBIKEY_PROFILE" | awk '{print $NF}')
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment