dotfiles/home/.bin/gs-aws
Marcus Noble 495da19e85
Added script for handling AWS CLI login
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
2022-03-01 11:50:41 +00:00

99 lines
2.8 KiB
Bash
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
ACCOUNT_ID=${AWS_ACCOUNTID}
ROLE=GiantSwarmAdmin
MFA=
MFA_ARN=arn:aws:iam::${AWS_ACCOUNTID}:mfa/marcus@giantswarm.io
print_usage() {
echo "gs-aws - set up AWS credentials"
echo " "
echo "gs-aws"
echo " "
echo " "
echo "Options:"
echo "-h, --help show this help text"
echo "-a, --account the AWS account number (default: \$AWS_ACCOUNTID)"
echo "-r, --role the role to assume (default: GiantSwarmAdmin)"
echo "-t, --mfa-token the MFA token to use when generating a session [Required]"
echo "-m, --mfa-arn the ARN of the MFA device (Default ${MFA_ARN})"
}
while test $# -gt 0; do
case "$1" in
-a|--account)
shift
ACCOUNT_ID=$1
shift
;;
-r|--role)
shift
ROLE=$1
shift
;;
-t|--mfa-token)
shift
MFA=$1
shift
;;
-m|--mfa-arn)
shift
MFA_ARN=$1
shift
;;
-h|--help)
print_usage
exit 0
;;
*)
break
;;
esac
done
if [ -z $AWS_ACCESS_KEY_ID ] || [ -z $AWS_SECRET_ACCESS_KEY ] || [ -z $ACCOUNT_ID ]; then
echo "Initial AWS credentials required"
exit 1
fi
if [ -z $MFA ] || [ -z $MFA_ARN ]; then
echo "MFA token and ARN required"
exit 1
fi
printf "✨ Getting session credentials..."
SESSION_JSON=$(aws sts get-session-token --serial-number ${MFA_ARN} --token-code ${MFA})
printf "\n\e[1A\e[K✅ Got session credentials\n"
export AWS_SECRET_ACCESS_KEY=$(echo $SESSION_JSON | jq -r '.Credentials.SecretAccessKey')
export AWS_ACCESS_KEY_ID=$(echo $SESSION_JSON | jq -r '.Credentials.AccessKeyId')
export AWS_SESSION_TOKEN=$(echo $SESSION_JSON | jq -r '.Credentials.SessionToken')
export EXPIRATION=$(echo $SESSION_JSON | jq -r '.Credentials.Expiration')
if [ "${ACCOUNT_ID}" != "${AWS_ACCOUNTID}" ]; then
printf "✨ Assuming cross-account role..."
ASSUME_SESSION=$(aws sts assume-role --role-session-name $(whoami)-aws --role-arn arn:aws:iam::${ACCOUNT_ID}:role/${ROLE})
export AWS_SECRET_ACCESS_KEY=$(echo $ASSUME_SESSION | jq -r '.Credentials.SecretAccessKey')
export AWS_ACCESS_KEY_ID=$(echo $ASSUME_SESSION | jq -r '.Credentials.AccessKeyId')
export AWS_SESSION_TOKEN=$(echo $ASSUME_SESSION | jq -r '.Credentials.SessionToken')
export EXPIRATION=$(echo $ASSUME_SESSION | jq -r '.Credentials.Expiration')
printf "\n\e[1A\e[K✅ Assumed role\n"
fi
mkdir -p ~/.aws
cat > ~/.aws/credentials << EOF
[giantswarm]
aws_access_key_id=${AWS_ACCESS_KEY_ID}
aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
aws_session_token=${AWS_SESSION_TOKEN}
expiration=${EXPIRATION}
EOF
echo "⚡️ AWS credentials setup"
echo ""
echo " You'll need to switch to the 'giantswarm' profile:"
echo ""
echo "unset AWS_ACCESS_KEY_ID"
echo "unset AWS_SECRET_ACCESS_KEY"
echo "export AWS_PROFILE=giantswarm"