tfm/gist:7fbda3203c6cc0c0c86b

## gistfile1.sh
#! /bin/bash

set -ue

PROFILE=iam-user
PRINT_ONLY=0

usage() {
  cat <<EOF
  Usage: $0 [-l | -h | -s | [-p] role mfa-token]

    role       role name to acquire session token for
    mfa-token  MFA token value

    -p         print, don't store, session token

    -l         list all AWS roles
    -s         setup
    -h         help
EOF
}

help() {

CAT <<EOF
  Acquire a session token from AWS for a particular role. Roles
  give fine-grained, short-lived, access to resources. This script
  obtains a session token and, by default, stores as the default
  set of AWS credentials to be used by aws command-line tools.
  The session token can also be displayed and not stored (-p)
  for use elsewhere from AWS command-line tools.

  Profiles
  --------

  Multiple profiles with different credentials can be stored for use
  by the AWS command-line tools. IAM user credentails are set-up (see
  below) and stored in the profile "$PROFILE". When session tokens
  are obtained, they're stored in the default profile, which means
  they are used by default by the AWS command-line tools.

  Set-up
  ------

  Session tokens are obtained using an IAM user's access key and
  secret, which are long-lived, and stored in the non-default
  profile of "$PROFILE" in the aws command-line tools credential store.
  Run with -s option first to configure IAM access key and secret
  which will be used to obtain session tokens.


  EXAMPLES
  ========

  Set-up
  ------

  \$ $0 -s

  Setting up profile iam. You should provide an access key
  and secret for an IAM user with rights to assume roles.

  WARNING: This will replace any keys already configured for the
  credential profile iam.

  Access key: 12345
  Access key secret: 123123213891273918798137928

  Credentials saved

  \$

  Obtain session key for role
  ---------------------------

  $0 user-s3-readonly 123456


  The role "user-s3-readonly" will be acquired, at which point
  read-only access to S3 buckets will be granted.

EOF

}

list_roles() {
  ROLES=`aws iam list-roles --profile=$PROFILE --output=text | grep ROLES | cut -f 6`
  cat <<EOF
All roles (you may not have access to any or all of these):

$ROLES
EOF
}

assume_role() {

  ROLE=$1
  MFA_TOKEN_VALUE=$2

  MFA_DEVICE=$(aws iam list-mfa-devices --profile $PROFILE --output=text | cut -f 3)
  ROLE_ARN=$(aws iam list-roles --profile $PROFILE --output=text | grep "[[:space:]]${ROLE}$" | cut -f 2)
  SESSION_KEY=$(aws sts assume-role --role-arn "$ROLE_ARN" --profile $PROFILE --token-code $MFA_TOKEN_VALUE --serial-number "$MFA_DEVICE" --role-session-name cli --output=text)

  ACCESS_KEY=`echo $SESSION_KEY | cut -f 5 -d " "`
  ACCESS_SECRET_KEY=`echo $SESSION_KEY | cut -f 7 -d " "`
  SESSION_TOKEN=`echo $SESSION_KEY | cut -f 8 -d " "`

  if [ $PRINT_ONLY -eq 1 ];
  then
    echo "Access key: $ACCESS_KEY"
    echo "Secret access key: $ACCESS_SECRET_KEY"
    echo "Session token: $SESSION_TOKEN"
  else
    aws configure set aws_access_key_id "$ACCESS_KEY"
    aws configure set aws_secret_access_key "$ACCESS_SECRET_KEY"
    aws configure set aws_session_token "$SESSION_TOKEN"
    echo "Session token saved as default set of AWS credentials"
  fi

}

setup() {
  cat <<EOF

Setting up profile $PROFILE. You should provide an access key
and secret for an IAM user with rights to assume roles.

WARNING: This will replace any keys already configured for the
credential profile $PROFILE.

EOF

  echo -n "Access key: "
  read ACCESS_KEY

  echo -n "Access key secret: "
  read ACCESS_KEY_SECRET

  aws configure set aws_access_key_id "$ACCESS_KEY" --profile $PROFILE
  aws configure set aws_secret_access_key "$ACCESS_KEY_SECRET" --profile $PROFILE

  echo "Credentials saved"

}

while getopts "hpshlt:r:" OPTION
do
  case $OPTION in
    l)
      list_roles
      exit
      ;;
    p)
      shift
      PRINT_ONLY=1
      ;;
    s)
      setup
      exit
      ;;
    h)
      usage
      help
      exit
      ;;
    *)
      usage
      exit
      ;;
  esac
done

if [ $# -ne 2 ];
then
  usage
  exit
fi

assume_role $1 $2
	#! /bin/bash

	set -ue

	PROFILE=iam-user
	PRINT_ONLY=0

	usage() {
	cat <<EOF
	Usage: $0 [-l \| -h \| -s \| [-p] role mfa-token]

	role role name to acquire session token for
	mfa-token MFA token value

	-p print, don't store, session token

	-l list all AWS roles
	-s setup
	-h help
	EOF
	}

	help() {

	CAT <<EOF
	Acquire a session token from AWS for a particular role. Roles
	give fine-grained, short-lived, access to resources. This script
	obtains a session token and, by default, stores as the default
	set of AWS credentials to be used by aws command-line tools.
	The session token can also be displayed and not stored (-p)
	for use elsewhere from AWS command-line tools.

	Profiles
	--------

	Multiple profiles with different credentials can be stored for use
	by the AWS command-line tools. IAM user credentails are set-up (see
	below) and stored in the profile "$PROFILE". When session tokens
	are obtained, they're stored in the default profile, which means
	they are used by default by the AWS command-line tools.

	Set-up
	------

	Session tokens are obtained using an IAM user's access key and
	secret, which are long-lived, and stored in the non-default
	profile of "$PROFILE" in the aws command-line tools credential store.
	Run with -s option first to configure IAM access key and secret
	which will be used to obtain session tokens.


	EXAMPLES
	========

	Set-up
	------

	\$ $0 -s

	Setting up profile iam. You should provide an access key
	and secret for an IAM user with rights to assume roles.

	WARNING: This will replace any keys already configured for the
	credential profile iam.

	Access key: 12345
	Access key secret: 123123213891273918798137928

	Credentials saved

	\$

	Obtain session key for role
	---------------------------

	$0 user-s3-readonly 123456



	The role "user-s3-readonly" will be acquired, at which point
	read-only access to S3 buckets will be granted.

	EOF

	}

	list_roles() {
	ROLES=`aws iam list-roles --profile=$PROFILE --output=text \| grep ROLES \| cut -f 6`
	cat <<EOF
	All roles (you may not have access to any or all of these):

	$ROLES
	EOF
	}

	assume_role() {

	ROLE=$1
	MFA_TOKEN_VALUE=$2

	MFA_DEVICE=$(aws iam list-mfa-devices --profile $PROFILE --output=text \| cut -f 3)
	ROLE_ARN=$(aws iam list-roles --profile $PROFILE --output=text \| grep "[[:space:]]${ROLE}$" \| cut -f 2)
	SESSION_KEY=$(aws sts assume-role --role-arn "$ROLE_ARN" --profile $PROFILE --token-code $MFA_TOKEN_VALUE --serial-number "$MFA_DEVICE" --role-session-name cli --output=text)

	ACCESS_KEY=`echo $SESSION_KEY \| cut -f 5 -d " "`
	ACCESS_SECRET_KEY=`echo $SESSION_KEY \| cut -f 7 -d " "`
	SESSION_TOKEN=`echo $SESSION_KEY \| cut -f 8 -d " "`

	if [ $PRINT_ONLY -eq 1 ];
	then
	echo "Access key: $ACCESS_KEY"
	echo "Secret access key: $ACCESS_SECRET_KEY"
	echo "Session token: $SESSION_TOKEN"
	else
	aws configure set aws_access_key_id "$ACCESS_KEY"
	aws configure set aws_secret_access_key "$ACCESS_SECRET_KEY"
	aws configure set aws_session_token "$SESSION_TOKEN"
	echo "Session token saved as default set of AWS credentials"
	fi

	}

	setup() {
	cat <<EOF

	Setting up profile $PROFILE. You should provide an access key
	and secret for an IAM user with rights to assume roles.

	WARNING: This will replace any keys already configured for the
	credential profile $PROFILE.

	EOF

	echo -n "Access key: "
	read ACCESS_KEY

	echo -n "Access key secret: "
	read ACCESS_KEY_SECRET

	aws configure set aws_access_key_id "$ACCESS_KEY" --profile $PROFILE
	aws configure set aws_secret_access_key "$ACCESS_KEY_SECRET" --profile $PROFILE

	echo "Credentials saved"

	}

	while getopts "hpshlt:r:" OPTION
	do
	case $OPTION in
	l)
	list_roles
	exit
	;;
	p)
	shift
	PRINT_ONLY=1
	;;
	s)
	setup
	exit
	;;
	h)
	usage
	help
	exit
	;;
	*)
	usage
	exit
	;;
	esac
	done

	if [ $# -ne 2 ];
	then
	usage
	exit
	fi

	assume_role $1 $2