-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathassume_role.sh
executable file
·108 lines (97 loc) · 4.21 KB
/
assume_role.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# USAGE:
# requires 4 args and optionally a 5th, needs to be run with source to get exported variables to stick
# source assume_role.sh <sourceAccountNumber> <username> <destinationAccountNumber> <rolename> [durationSeconds]
echo "WARNING: This script is deprecated. Please use sts_assume_role.sh instead!"
sourceAccountNumber=$1
username=$2
destinationAccountNumber=$3
rolename=$4
durationSeconds=${5:-3600}
# Get current shell even if it is not the default shell: https://unix.stackexchange.com/a/227138
defaultShell=$(ps -p $$ | awk '$1 != "PID" {print $(NF)}')
roleArn="arn:aws:iam::${destinationAccountNumber}:role/${rolename}"
serialArn="arn:aws:iam::${sourceAccountNumber}:mfa/${username}"
clear_env_vars () {
unset AWS_SECURITY_TOKEN
unset AWS_SESSION_TOKEN
if [ -z "$AWS_ENV_VARS" ]; then
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
export AWS_ENV_VARS="True"
elif [ -z "$OG_AWS_SECRET_ACCESS_KEY" ]; then
export OG_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
export OG_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
else
export AWS_SECRET_ACCESS_KEY=$OG_AWS_SECRET_ACCESS_KEY
export AWS_ACCESS_KEY_ID=$OG_AWS_ACCESS_KEY_ID
fi
else
unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID
fi
}
get_sts () {
# allow a blank tokenCode for orgs that don't use an MFA
echo "Enter MFA token code:"
read tokenCode
# zsh requires -A in order to read in an array
readFlag="-a"
if [[ "$defaultShell" == *"zsh"* ]]; then
readFlag="-A"
fi
if [ -z "$tokenCode" ]; then
read $readFlag commandResult <<< $(aws sts assume-role --output text\
--role-arn $roleArn \
--role-session-name iam-role-injector \
--query 'Credentials.[SecretAccessKey, SessionToken, AccessKeyId]' \
--duration-seconds $durationSeconds)
else
read $readFlag commandResult <<< $(aws sts assume-role --output text \
--role-arn $roleArn \
--role-session-name iam-role-injector \
--serial-number $serialArn \
--query 'Credentials.[SecretAccessKey, SessionToken, AccessKeyId]' \
--duration-seconds $durationSeconds \
--token-code $tokenCode)
fi
exitCode=$?
}
set_env_vars () {
if (( ${#commandResult[@]} == 3 )); then
if [[ "$defaultShell" == *"bash"* ]]; then
echo "You have assumed the $rolename role successfully."
export AWS_SECRET_ACCESS_KEY=${commandResult[0]}
# Set AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN for backwards compatibility
# See: http://boto3.readthedocs.org/en/latest/guide/configuration.html
export AWS_SECURITY_TOKEN=${commandResult[1]}
export AWS_SESSION_TOKEN=${commandResult[1]}
export AWS_ACCESS_KEY_ID=${commandResult[2]}
elif [[ "$defaultShell" == *"zsh"* ]]; then
echo "You have assumed the $rolename role successfully."
# zsh arrays are numbered from one by default
# see: https://stackoverflow.com/questions/36453146/why-does-read-a-fail-in-zsh
export AWS_SECRET_ACCESS_KEY=${commandResult[1]}
# Set AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN for backwards compatibility
# See: http://boto3.readthedocs.org/en/latest/guide/configuration.html
export AWS_SECURITY_TOKEN=${commandResult[2]}
export AWS_SESSION_TOKEN=${commandResult[2]}
export AWS_ACCESS_KEY_ID=${commandResult[3]}
fi
else
echo "Unable to assume role"
exitCode=1
fi
}
main () {
if [ -n "$destinationAccountNumber" ] && [ -n "$sourceAccountNumber" ] && [ -n "$rolename" ] && [ -n "$username" ]; then
clear_env_vars
get_sts
set_env_vars
else
echo "Usage: source assume_role.sh <sourceAccountNumber> <username> <destinationAccountNumber> <rolename> [durationSeconds]"
exitCode=1
fi
}
main
# This runs in a subshell, so it will not exit your shell when you are sourcing,
# but it still gives you the correct exit code if you read from $?
(exit $exitCode)