Last active
January 11, 2023 11:36
-
-
Save woowa-hsw0/caa3340e2a7b390dbde81894f73e379d to your computer and use it in GitHub Desktop.
Start AWS CLI Session with MFA Enabled (+Yubikey)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu | |
| umask 0022 | |
| if [[ $# -lt 1 ]]; then | |
| echo "Usage: $0 role_name [AWS ACCOUNT NUMBER]" >&2 | |
| exit 1 | |
| fi | |
| ROLE_NAME="$1" | |
| caller_identity=($(aws sts get-caller-identity --output text)) | |
| CURRENT_AWS_ACCOUNT_NUMBER="${caller_identity[0]}" | |
| AWS_IAM_USER_ARN="${caller_identity[1]}" | |
| AWS_IAM_USERNAME="$(basename "$AWS_IAM_USER_ARN")" | |
| if [[ $# -lt 2 ]]; then | |
| aws_account_number="$CURRENT_AWS_ACCOUNT_NUMBER" | |
| else | |
| aws_account_number="$2" | |
| fi | |
| role_arn="arn:aws:iam::$aws_account_number:role/$ROLE_NAME" | |
| role_session_name="$AWS_IAM_USERNAME" | |
| echo "I AM: $AWS_IAM_USER_ARN" | |
| echo "Assuming $role_arn ($role_session_name)" | |
| credentials=($(aws sts assume-role --role-arn "$role_arn" --role-session-name "$role_session_name" --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)) | |
| export AWS_ACCESS_KEY_ID="${credentials[0]}" AWS_SECRET_ACCESS_KEY="${credentials[1]}" AWS_SESSION_TOKEN="${credentials[2]}" | |
| # https://github.com/boto/boto/issues/2988 Workaround | |
| export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN" | |
| aws sts get-caller-identity | |
| exec $SHELL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu | |
| umask 0022 | |
| if [[ $# -ge 1 ]]; then | |
| AWS_PROFILE="$1" | |
| else | |
| read -p 'Enter AWS_PROFILE: ' AWS_PROFILE | |
| fi | |
| caller_identity=($(aws --profile "$AWS_PROFILE" sts get-caller-identity --output text)) | |
| AWS_ACCOUNT_NUMBER="${caller_identity[0]}" | |
| AWS_IAM_USER_ARN="${caller_identity[1]}" | |
| AWS_IAM_USERNAME="$(basename "$AWS_IAM_USER_ARN")" | |
| MFA_SERIAL="arn:aws:iam::$AWS_ACCOUNT_NUMBER:mfa/$AWS_IAM_USERNAME" | |
| echo "AWS Account number: $AWS_ACCOUNT_NUMBER" | |
| echo "IAM Username: $AWS_IAM_USERNAME" | |
| echo "MFA Serial: $MFA_SERIAL" | |
| tmpdir=$(mktemp -d) | |
| trap "rm -rf '$tmpdir'" EXIT | |
| if ykman oath info > "$tmpdir/yk-oath-info" 2>&1 ; then | |
| echo "Trying to read MFA code from Yubikey." | |
| cat "$tmpdir/yk-oath-info" | |
| rm -f "$tmpdir/yk-oath-info" | |
| ykman oath code "$AWS_PROFILE" 2>&1 | tee "$tmpdir/yk-mfa-code" | |
| otp_token=$(grep -F "$AWS_PROFILE" "$tmpdir/yk-mfa-code" | awk '{print $NF}') | |
| rm -f "$tmpdir/yk-mfa-code" | |
| [[ -z "$otp_token" ]] && exit 1 | |
| else | |
| read -p 'Enter MFA code: ' otp_token | |
| fi | |
| rm -rf "$tmpdir" | |
| session_token=($(aws --profile "$AWS_PROFILE" sts get-session-token --serial-number $MFA_SERIAL --token-code $otp_token --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)) | |
| export AWS_ACCESS_KEY_ID="${session_token[0]}" AWS_SECRET_ACCESS_KEY="${session_token[1]}" AWS_SESSION_TOKEN="${session_token[2]}" | |
| # https://github.com/boto/boto/issues/2988 Workaround | |
| export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN" | |
| aws sts get-caller-identity | |
| exec $SHELL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment