zizkebab/.aws-temp-token.lt

## .aws-temp-token.lt
AWS_TEMP_TOKEN_LAST_TOKEN=1559045147
NOW_EPOCH=$(date +%s)
(( LAST_TOKEN_DIFF = $NOW_EPOCH - $AWS_TEMP_TOKEN_LAST_TOKEN ))
echo $LAST_TOKEN_DIFF
if [ $LAST_TOKEN_DIFF -ge 129600 ] ;
then
   ./aws-temp-token.sh
fi

## aws-temp-token.sh
#!/bin/bash
#
# Sample for getting temp session token from AWS STS
#
# aws --profile youriamuser sts get-session-token --duration 3600 \
# --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345
#
# Based on : https://github.com/EvidentSecurity/MFAonCLI/blob/master/aws-temp-token.sh
#

AWS_CLI=`which aws`

if [ $? -ne 0 ]; then
  echo "AWS CLI is not installed; exiting"
  exit 1
else
  echo "Using AWS CLI found at $AWS_CLI"
fi

if [ $# -ne 1 ]; then
  echo "Usage: $0  <MFA_TOKEN_CODE>"
  echo "Where:"
  echo "   <MFA_TOKEN_CODE> = Code from virtual MFA device"
  exit 2
fi

AWS_USER_PROFILE=userName
AWS_2AUTH_PROFILE=2auth
ARN_OF_MFA=GAKTxxxxxxxxxx
MFA_TOKEN_CODE=$1
DURATION=129600

echo "AWS-CLI Profile: $AWS_CLI_PROFILE"
echo "MFA ARN: $ARN_OF_MFA"
echo "MFA Token Code: $MFA_TOKEN_CODE"
set -x

read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< \
$( aws --profile $AWS_USER_PROFILE sts get-session-token \
  --duration $DURATION  \
  --serial-number $ARN_OF_MFA \
  --token-code $MFA_TOKEN_CODE \
  --output text  | awk '{ print $2, $4, $5 }')

echo "AWS_ACCESS_KEY_ID: " $AWS_ACCESS_KEY_ID
echo "AWS_SECRET_ACCESS_KEY: " $AWS_SECRET_ACCESS_KEY
echo "AWS_SESSION_TOKEN: " $AWS_SESSION_TOKEN

if [ -z "$AWS_ACCESS_KEY_ID" ]
then
  exit 1
fi

`aws --profile $AWS_2AUTH_PROFILE configure set aws_access_key_id "$AWS_ACCESS_KEY_ID"`
`aws --profile $AWS_2AUTH_PROFILE configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"`
`aws --profile $AWS_2AUTH_PROFILE configure set aws_session_token "$AWS_SESSION_TOKEN"`
# See https://github.com/boto/boto/issues/2988  - boto needs aws_security_token
`aws --profile $AWS_2AUTH_PROFILE configure set aws_security_token "$AWS_SESSION_TOKEN"`
sed -i -e '/aws_security_token/d; /^aws_session_token/p; s/^aws_session_token/aws_security_token/' ~/.aws/credentials
sed -i -e "s/AWS_TEMP_TOKEN_LAST_TOKEN=.*/AWS_TEMP_TOKEN_LAST_TOKEN=$(date +%s)/" .aws-temp-token.lt


## config
~/.aws/config
[default]
region = eu-west-1

## credentials
~/.aws/credentials

[userName]
aws_access_key_id: AxxxxxxxxxxxxxxxxxQ
aws_secret_access_key: hxxxxxxxxxxxxxxxxxx4

[2auth]
aws_access_key_id = AxxxxxxxxxxxxxxxxxA
aws_secret_access_key = pxxxxxxxxxxxxxxxxxxxxxy
aws_session_token = AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxF
aws_security_token = AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxF

## usage
$ aws --profile 2auth ec2 describe-instances
	AWS_TEMP_TOKEN_LAST_TOKEN=1559045147
	NOW_EPOCH=$(date +%s)
	(( LAST_TOKEN_DIFF = $NOW_EPOCH - $AWS_TEMP_TOKEN_LAST_TOKEN ))
	echo $LAST_TOKEN_DIFF
	if [ $LAST_TOKEN_DIFF -ge 129600 ] ;
	then
	./aws-temp-token.sh
	fi
	#!/bin/bash
	#
	# Sample for getting temp session token from AWS STS
	#
	# aws --profile youriamuser sts get-session-token --duration 3600 \
	# --serial-number arn:aws:iam::012345678901:mfa/user --token-code 012345
	#
	# Based on : https://github.com/EvidentSecurity/MFAonCLI/blob/master/aws-temp-token.sh
	#

	AWS_CLI=`which aws`

	if [ $? -ne 0 ]; then
	echo "AWS CLI is not installed; exiting"
	exit 1
	else
	echo "Using AWS CLI found at $AWS_CLI"
	fi

	if [ $# -ne 1 ]; then
	echo "Usage: $0 <MFA_TOKEN_CODE>"
	echo "Where:"
	echo " <MFA_TOKEN_CODE> = Code from virtual MFA device"
	exit 2
	fi

	AWS_USER_PROFILE=userName
	AWS_2AUTH_PROFILE=2auth
	ARN_OF_MFA=GAKTxxxxxxxxxx
	MFA_TOKEN_CODE=$1
	DURATION=129600

	echo "AWS-CLI Profile: $AWS_CLI_PROFILE"
	echo "MFA ARN: $ARN_OF_MFA"
	echo "MFA Token Code: $MFA_TOKEN_CODE"
	set -x

	read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< \
	$( aws --profile $AWS_USER_PROFILE sts get-session-token \
	--duration $DURATION \
	--serial-number $ARN_OF_MFA \
	--token-code $MFA_TOKEN_CODE \
	--output text \| awk '{ print $2, $4, $5 }')

	echo "AWS_ACCESS_KEY_ID: " $AWS_ACCESS_KEY_ID
	echo "AWS_SECRET_ACCESS_KEY: " $AWS_SECRET_ACCESS_KEY
	echo "AWS_SESSION_TOKEN: " $AWS_SESSION_TOKEN

	if [ -z "$AWS_ACCESS_KEY_ID" ]
	then
	exit 1
	fi

	`aws --profile $AWS_2AUTH_PROFILE configure set aws_access_key_id "$AWS_ACCESS_KEY_ID"`
	`aws --profile $AWS_2AUTH_PROFILE configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"`
	`aws --profile $AWS_2AUTH_PROFILE configure set aws_session_token "$AWS_SESSION_TOKEN"`
	# See https://github.com/boto/boto/issues/2988 - boto needs aws_security_token
	`aws --profile $AWS_2AUTH_PROFILE configure set aws_security_token "$AWS_SESSION_TOKEN"`
	sed -i -e '/aws_security_token/d; /^aws_session_token/p; s/^aws_session_token/aws_security_token/' ~/.aws/credentials
	sed -i -e "s/AWS_TEMP_TOKEN_LAST_TOKEN=.*/AWS_TEMP_TOKEN_LAST_TOKEN=$(date +%s)/" .aws-temp-token.lt
	~/.aws/credentials

	[userName]
	aws_access_key_id: AxxxxxxxxxxxxxxxxxQ
	aws_secret_access_key: hxxxxxxxxxxxxxxxxxx4

	[2auth]
	aws_access_key_id = AxxxxxxxxxxxxxxxxxA
	aws_secret_access_key = pxxxxxxxxxxxxxxxxxxxxxy
	aws_session_token = AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxF
	aws_security_token = AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxF