-
Notifications
You must be signed in to change notification settings - Fork 1
/
.awstoken
executable file
·147 lines (129 loc) · 4.05 KB
/
.awstoken
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Copyright © 2018 Ivan Vandot <ivan@vandot.rs>
# All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# shellcheck disable=SC2148
set_awstoken() {
export AWS_ACCESS_KEY_ID="${aws_key}"
export AWS_SECRET_ACCESS_KEY="${aws_secret}"
export AWS_SESSION_TOKEN="${aws_token}"
printf "Expiration time: %s\\n" "${expiration}"
printf "Temporary credentials set!\\n\\n"
}
awstoken() {
if ! command -v aws >/dev/null 2>&1; then
printf "aws cli not found...\\npip install awscli\\n\\n"
return 1
fi
local usage
usage=$(cat <<-END
Usage:
awstoken OPTION
Description:
Bash wrapper around awscli for easy temporary security credential generation for AWS API
Example:
awstoken -u user -t 123456 -a 012345678910
awstoken -p aws_profile -t 123456
Options:
-u, --user username
-t, --token token
-p, --profile profile [default]
-a, --account account-id
-d, --duration duration in s [43200]
-g, --gov; enable govcloud
-h, --help; display this help message
END
)
local INSECURE=false
local user
local token
local profile="default"
local account
local duration=43200
local result
local gov
local aws_key
local aws_secret
local aws_token
local expiration
if [[ "$*" =~ (-h|--help) ]]; then
echo "$usage"
return 0
fi
while [[ $# -ge 1 ]]; do
key="$1"
case "${key}" in
-u|--user)
user="${2}"
shift
;;
-t|--token)
token="${2}"
shift
;;
-p|--profile)
profile="${2}"
shift
;;
-a|--account)
account="${2}"
shift
;;
-d|--duration)
duration="${2}"
shift
;;
-g|--gov)
gov="-us-gov"
;;
*)
usage
;;
esac
shift
done
if [[ -n ${profile} ]]; then
if [[ ${INSECURE} == true ]]; then
expiration=$(awk "/\\[${profile}-awstoken\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/expiration/ {print $2}' - | tr -d ' ')
if [[ -n ${expiration} ]]; then
if [[ ${expiration} > $(date +"%Y-%m-%dT%H:%m:%SZ") ]]; then
aws_key=$(awk "/\\[${profile}-awstoken\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/aws_access_key_id/ {print $2}' - | tr -d ' ')
aws_secret=$(awk "/\\[${profile}-awstoken\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/aws_secret_access_key/ {print $2}' - | tr -d ' ')
aws_token=$(awk "/\\[${profile}-awstoken\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/aws_session_token/ {print $2}' - | tr -d ' ')
set_awstoken
return 0
else
sed -ie '/\['"${profile}"'-awstoken\]/{N;N;N;N;d;}' ~/.aws/credentials
printf "\\nSaved credentials expired and removed!\\n\\n"
fi
fi
fi
if [[ -z ${user} ]]; then
user=$(awk "/\\[${profile}\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/user/ {print $2}' - | tr -d ' ')
fi
if [[ -z ${account} ]]; then
account=$(awk "/\\[${profile}\\]/{flag=1;next}/\\[/{flag=0}flag" ~/.aws/credentials | awk -F "=" '/account/ {print $2}' - | tr -d ' ')
fi
fi
if [[ -z ${user} || -z ${token} || -z ${account} ]]; then
printf "\\nYou must set user, token and account!\\n\\n"
return 1
fi
result=$(aws sts get-session-token --profile "${profile}" --duration-seconds "${duration}" --token-code "${token}" --serial-number arn:aws"${gov}":iam::"${account}":mfa/"${user}" --output text)
aws_key=$(echo "${result}" | awk '{print $2}')
aws_secret=$(echo "${result}" | awk '{print $4}')
aws_token=$(echo "${result}" | awk '{print $5}')
expiration=$(echo "${result}" | awk '{print $3}')
if [[ -n $result ]]; then
set_awstoken
if [[ ${INSECURE} == true ]]; then
/bin/cat >> ~/.aws/credentials <<EOT
[${profile}-awstoken]
expiration=${expiration}
aws_access_key_id=${aws_key}
aws_secret_access_key=${aws_secret}
aws_session_token=${aws_token}
EOT
fi
fi
}