Last active
August 29, 2015 14:20
-
-
Save tfm/7fbda3203c6cc0c0c86b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
set -ue | |
PROFILE=iam-user | |
PRINT_ONLY=0 | |
usage() { | |
cat <<EOF | |
Usage: $0 [-l | -h | -s | [-p] role mfa-token] | |
role role name to acquire session token for | |
mfa-token MFA token value | |
-p print, don't store, session token | |
-l list all AWS roles | |
-s setup | |
-h help | |
EOF | |
} | |
help() { | |
CAT <<EOF | |
Acquire a session token from AWS for a particular role. Roles | |
give fine-grained, short-lived, access to resources. This script | |
obtains a session token and, by default, stores as the default | |
set of AWS credentials to be used by aws command-line tools. | |
The session token can also be displayed and not stored (-p) | |
for use elsewhere from AWS command-line tools. | |
Profiles | |
-------- | |
Multiple profiles with different credentials can be stored for use | |
by the AWS command-line tools. IAM user credentails are set-up (see | |
below) and stored in the profile "$PROFILE". When session tokens | |
are obtained, they're stored in the default profile, which means | |
they are used by default by the AWS command-line tools. | |
Set-up | |
------ | |
Session tokens are obtained using an IAM user's access key and | |
secret, which are long-lived, and stored in the non-default | |
profile of "$PROFILE" in the aws command-line tools credential store. | |
Run with -s option first to configure IAM access key and secret | |
which will be used to obtain session tokens. | |
EXAMPLES | |
======== | |
Set-up | |
------ | |
\$ $0 -s | |
Setting up profile iam. You should provide an access key | |
and secret for an IAM user with rights to assume roles. | |
WARNING: This will replace any keys already configured for the | |
credential profile iam. | |
Access key: 12345 | |
Access key secret: 123123213891273918798137928 | |
Credentials saved | |
\$ | |
Obtain session key for role | |
--------------------------- | |
$0 user-s3-readonly 123456 | |
The role "user-s3-readonly" will be acquired, at which point | |
read-only access to S3 buckets will be granted. | |
EOF | |
} | |
list_roles() { | |
ROLES=`aws iam list-roles --profile=$PROFILE --output=text | grep ROLES | cut -f 6` | |
cat <<EOF | |
All roles (you may not have access to any or all of these): | |
$ROLES | |
EOF | |
} | |
assume_role() { | |
ROLE=$1 | |
MFA_TOKEN_VALUE=$2 | |
MFA_DEVICE=$(aws iam list-mfa-devices --profile $PROFILE --output=text | cut -f 3) | |
ROLE_ARN=$(aws iam list-roles --profile $PROFILE --output=text | grep "[[:space:]]${ROLE}$" | cut -f 2) | |
SESSION_KEY=$(aws sts assume-role --role-arn "$ROLE_ARN" --profile $PROFILE --token-code $MFA_TOKEN_VALUE --serial-number "$MFA_DEVICE" --role-session-name cli --output=text) | |
ACCESS_KEY=`echo $SESSION_KEY | cut -f 5 -d " "` | |
ACCESS_SECRET_KEY=`echo $SESSION_KEY | cut -f 7 -d " "` | |
SESSION_TOKEN=`echo $SESSION_KEY | cut -f 8 -d " "` | |
if [ $PRINT_ONLY -eq 1 ]; | |
then | |
echo "Access key: $ACCESS_KEY" | |
echo "Secret access key: $ACCESS_SECRET_KEY" | |
echo "Session token: $SESSION_TOKEN" | |
else | |
aws configure set aws_access_key_id "$ACCESS_KEY" | |
aws configure set aws_secret_access_key "$ACCESS_SECRET_KEY" | |
aws configure set aws_session_token "$SESSION_TOKEN" | |
echo "Session token saved as default set of AWS credentials" | |
fi | |
} | |
setup() { | |
cat <<EOF | |
Setting up profile $PROFILE. You should provide an access key | |
and secret for an IAM user with rights to assume roles. | |
WARNING: This will replace any keys already configured for the | |
credential profile $PROFILE. | |
EOF | |
echo -n "Access key: " | |
read ACCESS_KEY | |
echo -n "Access key secret: " | |
read ACCESS_KEY_SECRET | |
aws configure set aws_access_key_id "$ACCESS_KEY" --profile $PROFILE | |
aws configure set aws_secret_access_key "$ACCESS_KEY_SECRET" --profile $PROFILE | |
echo "Credentials saved" | |
} | |
while getopts "hpshlt:r:" OPTION | |
do | |
case $OPTION in | |
l) | |
list_roles | |
exit | |
;; | |
p) | |
shift | |
PRINT_ONLY=1 | |
;; | |
s) | |
setup | |
exit | |
;; | |
h) | |
usage | |
help | |
exit | |
;; | |
*) | |
usage | |
exit | |
;; | |
esac | |
done | |
if [ $# -ne 2 ]; | |
then | |
usage | |
exit | |
fi | |
assume_role $1 $2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment