diff --git a/home/.bin/gs-aws b/home/.bin/gs-aws new file mode 100755 index 0000000..d1a665c --- /dev/null +++ b/home/.bin/gs-aws @@ -0,0 +1,98 @@ +#!/usr/bin/env bash + +ACCOUNT_ID=${AWS_ACCOUNTID} +ROLE=GiantSwarmAdmin +MFA= +MFA_ARN=arn:aws:iam::${AWS_ACCOUNTID}:mfa/marcus@giantswarm.io + +print_usage() { + echo "gs-aws - set up AWS credentials" + echo " " + echo "gs-aws" + echo " " + echo " " + echo "Options:" + echo "-h, --help show this help text" + echo "-a, --account the AWS account number (default: \$AWS_ACCOUNTID)" + echo "-r, --role the role to assume (default: GiantSwarmAdmin)" + echo "-t, --mfa-token the MFA token to use when generating a session [Required]" + echo "-m, --mfa-arn the ARN of the MFA device (Default ${MFA_ARN})" +} + +while test $# -gt 0; do + case "$1" in + -a|--account) + shift + ACCOUNT_ID=$1 + shift + ;; + -r|--role) + shift + ROLE=$1 + shift + ;; + -t|--mfa-token) + shift + MFA=$1 + shift + ;; + -m|--mfa-arn) + shift + MFA_ARN=$1 + shift + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + break + ;; + esac +done + +if [ -z $AWS_ACCESS_KEY_ID ] || [ -z $AWS_SECRET_ACCESS_KEY ] || [ -z $ACCOUNT_ID ]; then + echo "Initial AWS credentials required" + exit 1 +fi + +if [ -z $MFA ] || [ -z $MFA_ARN ]; then + echo "MFA token and ARN required" + exit 1 +fi + +printf "✨ Getting session credentials..." +SESSION_JSON=$(aws sts get-session-token --serial-number ${MFA_ARN} --token-code ${MFA}) +printf "\n\e[1A\e[K✅ Got session credentials\n" + +export AWS_SECRET_ACCESS_KEY=$(echo $SESSION_JSON | jq -r '.Credentials.SecretAccessKey') +export AWS_ACCESS_KEY_ID=$(echo $SESSION_JSON | jq -r '.Credentials.AccessKeyId') +export AWS_SESSION_TOKEN=$(echo $SESSION_JSON | jq -r '.Credentials.SessionToken') +export EXPIRATION=$(echo $SESSION_JSON | jq -r '.Credentials.Expiration') + +if [ "${ACCOUNT_ID}" != "${AWS_ACCOUNTID}" ]; then + printf "✨ Assuming cross-account role..." + ASSUME_SESSION=$(aws sts assume-role --role-session-name $(whoami)-aws --role-arn arn:aws:iam::${ACCOUNT_ID}:role/${ROLE}) + export AWS_SECRET_ACCESS_KEY=$(echo $ASSUME_SESSION | jq -r '.Credentials.SecretAccessKey') + export AWS_ACCESS_KEY_ID=$(echo $ASSUME_SESSION | jq -r '.Credentials.AccessKeyId') + export AWS_SESSION_TOKEN=$(echo $ASSUME_SESSION | jq -r '.Credentials.SessionToken') + export EXPIRATION=$(echo $ASSUME_SESSION | jq -r '.Credentials.Expiration') + printf "\n\e[1A\e[K✅ Assumed role\n" +fi + +mkdir -p ~/.aws +cat > ~/.aws/credentials << EOF +[giantswarm] +aws_access_key_id=${AWS_ACCESS_KEY_ID} +aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} +aws_session_token=${AWS_SESSION_TOKEN} +expiration=${EXPIRATION} +EOF + +echo "⚡️ AWS credentials setup" +echo "" +echo "ℹ️ You'll need to switch to the 'giantswarm' profile:" +echo "" +echo "unset AWS_ACCESS_KEY_ID" +echo "unset AWS_SECRET_ACCESS_KEY" +echo "export AWS_PROFILE=giantswarm"