-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-session-sts.sh
executable file
·182 lines (163 loc) · 5.59 KB
/
aws-session-sts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#!/bin/bash
# create session (aka credential profile for a given account and role
# for convenience an alias should be created
# e.g. alias get_session="<path_to_this_file"
# if the token parameter is omitted, we try to retrieve a token via https://pypi.python.org/pypi/mfa
# using the ${ORG} variable as key
function help
{
echo "USAGE: aws-session.sh -o <organisation_short_name> -p <account_short_name> -r <role> [-t <token>] [-v]"
exit;
}
NC="\033[0m"
RED="\033[0;31m"
GREEN="\033[0;32m"
YELLOW="\033[1;33m"
while getopts "o:t:r:p:v" opt; do
case $opt in
o)
ORG=$OPTARG
;;
t)
TOKEN=$OPTARG
;;
r)
ROLE=$OPTARG
;;
p)
TO_PROFILE=$OPTARG
;;
v)
VERBOSE=true
;;
\?)
help
exit 1;
;;
:)
echo "Option -$OPTARG requires an argument." >&2
exit 1
;;
esac
done
echo -e "Getting session for ${YELLOW}${TO_PROFILE}${NC}"
if test -z "${ORG}"; then
help
exit 1
fi
if test -n "${VERBOSE}"; then
echo -e -n "Fetching iam account id for ${YELLOW}${ORG}${NC} ... "
fi
PROFILE="${ORG}-iam"
MAIN_ACCOUNT_ID=$(aws --profile ${PROFILE} configure get account_id)
if test -z "${MAIN_ACCOUNT_ID}"; then
echo
echo -e "${RED}Account ID for the main account${NC} ${YELLOW}${PROFILE} ${RED}not found.${NC}"
help
exit 1
fi
if test -n "${VERBOSE}"; then
echo -e "${YELLOW}${MAIN_ACCOUNT_ID}${NC}"
fi
if test -n "${VERBOSE}"; then
echo -n -e "Fetching user for ${YELLOW}${TO_PROFILE}${NC} ... "
fi
USER=$(aws --profile ${PROFILE} configure get iam_user)
if test -z "${USER}"; then
echo
echo -e "${RED}Username not found for account${NC} ${YELLOW}${PROFILE}${NC}"
help
exit 1
fi
if test -n "${VERBOSE}"; then
echo -e "${YELLOW}${USER}${NC}"
fi
TO_ACCOUNT_ID=$(aws --profile ${TO_PROFILE} configure get account_id)
if test -z "${TO_ACCOUNT_ID}"; then
echo -e "${RED}Account ID not found for account${NC} ${YELLOW}${TO_PROFILE}${NC}"
help
exit 2
fi
ACCESS_KEY_ID=$(aws --profile ${PROFILE} configure get aws_access_key_id)
if test -z "${ACCESS_KEY_ID}"; then
echo -e "${RED}No access key found for profile${NC} ${YELLOW}${ORG}-iam${NC}"
help
exit 2
fi
if test -n "${VERBOSE}"; then
echo "Checking session age ..."
fi
if test -z "${MAX_ACCESS_KEY_AGE}"; then
MAX_ACCESS_KEY_AGE=90
fi
if test -z "${WARNING_BEFORE_DAYS}"; then
WARNING_BEFORE_DAYS=10
fi
WARNING_ACCESS_KEY_AGE=$(($MAX_ACCESS_KEY_AGE - $WARNING_BEFORE_DAYS))
QUERY=".AccessKeyMetadata[] | select(.AccessKeyId == \"${ACCESS_KEY_ID}\") | .CreateDate"
CREATE_DATE=$(aws --profile ${PROFILE} iam list-access-keys --user-name ${USER} | jq -r "${QUERY}") # | select(.AccessKeyId == '${ACCESS_KEY_ID}') | .CreateDate")
EXPIRE=$(date --utc --date "${CREATE_DATE} +${MAX_ACCESS_KEY_AGE}days" +"%s")
EXPIRE_SOON=$(date --utc --date "${CREATE_DATE} +${WARNING_ACCESS_KEY_AGE}days" +"%s")
DATE=$(date --utc +"%s")
if test -n "${VERBOSE}"; then
echo -e "Session create date is ${YELLOW}${CREATE_DATE}${NC}"
echo -e " Will warn on ${YELLOW}${EXPIRE_SOON}${NC}"
echo -e " Will expire on ${YELLOW}${EXPIRE}${NC}"
echo -e " Date is ${YELLOW}${DATE}${NC}"
fi
if [[ -z $CREATE_DATE || $EXPIRE_SOON -lt $DATE ]]; then
if [[ -z $CREATE_DATE || $EXPIRE -lt $DATE ]]; then
echo -e "${RED}Your access Key has expired and will be deleted NOW${NC}"
echo "Please login and create new Access Keys here: "
echo "https://console.aws.amazon.com/iam/home?region=${REGION}#/users/${USER}?section=security_credentials"
aws --profile ${PROFILE} iam delete-access-key --access-key-id ${ACCESS_KEY_ID} --user-name ${USER}
exit 2
else
echo -e "${YELLOW}Your key will expire on ${RED}$(date -d @${EXPIRE})${YELLOW}. Please create a new one today!${NC}"
fi
fi
if test -z "${TOKEN}"; then
TOKEN=$(eval $AWS_MFA_TOKEN_CMD)
if test -z "${TOKEN}"; then
echo -n -e "Please enter a token for ${YELLOW}${ORG}${NC}: "
read TOKEN
fi
fi
if test -z "${TOKEN}"; then
echo -e "${RED}MFA token not provided${NC}"
help
exit 1
fi
CMD="aws sts --profile ${PROFILE} assume-role \
--role-arn arn:aws:iam::${TO_ACCOUNT_ID}:role/${ROLE} \
--role-session-name ${TO_PROFILE}-${USER} \
--serial-number arn:aws:iam::${MAIN_ACCOUNT_ID}:mfa/${USER} \
--token-code ${TOKEN}"
if test -n "${VERBOSE}"; then
echo -e "Fetching session for ${YELLOW}${TO_PROFILE} ${ROLE}${NC} ..."
echo -e "${YELLOW}${CMD}${NC}"
fi
# get the session
SESSION=$( ${CMD} )
if test -z "${SESSION}"; then
aws configure --profile ${TO_PROFILE} set aws_session_expiration "0"
echo -e "${RED}Session could not be retrieved.${NC}"
exit 3
else
if test -n "${VERBOSE}"; then
echo -e "Writing session for ${YELLOW}${ROLE}${NC} to profile ${YELLOW}${TO_PROFILE}${NC}"
fi
# write the credentials profile
aws configure --profile ${TO_PROFILE} set aws_access_key_id "$(echo ${SESSION} | jq -r '.Credentials.AccessKeyId')"
aws configure --profile ${TO_PROFILE} set aws_secret_access_key "$(echo ${SESSION} | jq -r '.Credentials.SecretAccessKey')"
aws configure --profile ${TO_PROFILE} set aws_session_token "$(echo ${SESSION} | jq -r '.Credentials.SessionToken')"
# write expiration time to config
aws configure --profile ${TO_PROFILE} set aws_session_expiration "$(date --date "$(echo ${SESSION} | jq -r '.Credentials.Expiration')" +"%s")"
# write default region from iam profile
aws configure --profile ${TO_PROFILE} set region $(aws configure --profile ${PROFILE} get region)
echo -e "${GREEN}Session saved to profile ${YELLOW}${TO_PROFILE}${NC}"
if test -n "${VERBOSE}"; then
echo ${SESSION} | jq -r
fi
fi
exit 0