Etusivu Tutki Apua
Kirjaudu sisään
thatsmydoing
/
dotfiles
1
0
Fork 0
Tiedostot Ongelmat 0
Puu: 3ee347ffe6
Haarat Tagit
dotfiles
/
.local
/
bin
/
get-aws-login

get-aws-login 2.2 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. #!/usr/bin/env bash
    2. 

  2. 

  3. set -euo pipefail
    4. 

  4. 

  5. # ignore existing credentials
    6. 

  6. unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
    7. 

  7. 

  8. profile=$1
    9. 

  9. duration=${2:-28800}
    10. 

  10. mfa_serial_number=$(aws configure get mfa_serial)
    11. 

  11. if [ "$profile" != "default" ]; then
    12. 

  12.   if ! role_arn=$(aws configure get "profile.$profile.role_arn"); then
    13. 

  13.     echo "role_arn not set for profile $profile"
    14. 

  14.     echo "run aws configure set profile.$profile.role_arn <role arn>"
    15. 

  15.     exit 1
    16. 

  16.   fi
    17. 

  17. fi
    18. 

  18. 

  19. read -srp "Password: " password
    20. 

  20. >&2 echo ""
    21. 

  21. 

  22. use_cache=0
    23. 

  23. cache_gpg="$XDG_RUNTIME_DIR/aws-$profile.gpg"
    24. 

  24. if [ -z "${2:-}" ]; then
    25. 

  25.   use_cache=1
    26. 

  26. fi
    27. 

  27. 

  28. function get_credentials {
    29. 

  29.   keepassxc-cli show -q "$KEEPASS_FILE" "$KEEPASS_AWS_ENTRY" -a "$1" <<< "$password"
    30. 

  30. }
    31. 

  31. 

  32. function get_cached {
    33. 

  33.   if [ "$use_cache" -eq 0 ]; then
    34. 

  34.     return 1
    35. 

  35.   fi
    36. 

  36.   if [ ! -f "$cache_gpg" ]; then
    37. 

  37.     >&2 echo "No cached credentials, requesting new"
    38. 

  38.     return 1
    39. 

  39.   fi
    40. 

  40.   if ! cached=$(gpg --batch -d --passphrase "$password" "$cache_gpg"); then
    41. 

  41.     >&2 echo "Error getting cached credentials"
    42. 

  42.     exit 1
    43. 

  43.   fi
    44. 

  44.   expiration=$(date -d "$(jq -r '.Credentials.Expiration' <<< "$cached")" +%s)
    45. 

  45.   if [ "$expiration" -lt "$(date +%s)" ]; then
    46. 

  46.     >&2 echo "Cached credentials expired, requesting new"
    47. 

  47.     return 1
    48. 

  48.   fi
    49. 

  49. 

  50.   >&2 echo "Using cached credentials, expires $(date -d "@$expiration" +%H:%M)"
    51. 

  51.   echo "$cached"
    52. 

  52. }
    53. 

  53. 

  54. AWS_ACCESS_KEY_ID=$(get_credentials UserName)
    55. 

  55. AWS_SECRET_ACCESS_KEY=$(get_credentials Password)
    56. 

  56. 

  57. if ! credentials=$(get_cached); then
    58. 

  58.   export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
    59. 

  59. 

  60.   read -rp "MFA: " mfa
    61. 

  61. 

  62.   if [ "$profile" = "default" ]; then
    63. 

  63.     credentials=$(aws sts get-session-token --serial-number $mfa_serial_number --token-code "$mfa" --duration-seconds "$duration")
    64. 

  64.   else
    65. 

  65.     credentials=$(aws sts assume-role --serial-number $mfa_serial_number --token-code "$mfa" --role-arn "$role_arn" --role-session-name "$(hostname)" --duration-seconds "$duration")
    66. 

  66.   fi
    67. 

  67. 

  68.   if [ "$use_cache" -eq 1 ]; then
    69. 

  69.     gpg --batch -c --passphrase "$password" <<< "$credentials" > "$cache_gpg"
    70. 

  70.   fi
    71. 

  71. fi
    72. 

  72. 

  73. 

  74. jq -r '.Credentials | @sh "
    75. 

  75. export AWS_ACCESS_KEY_ID=\(.AccessKeyId)
    76. 

  76. export AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)
    77. 

  77. export AWS_SESSION_TOKEN=\(.SessionToken)
    78. 

  78. "' <<< "$credentials"
    79.