-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathassume-role
executable file
·151 lines (122 loc) · 4.63 KB
/
assume-role
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash
# By Michael Ludvig <[email protected]> (c) 2015
# License: GPLv3
# Obtain temporary cross-account or cross-role credentials from STS
# Enables scripts running on an EC2 instance with instance-role access
# to other roles or other AWS accounts.
# Cross-role access must be configured first.
set -e
export SCRIPTS_DIR=$(dirname $0)
test -z "${SCRIPTS_DIR}" && SCRIPTS_DIR=$(dirname $(which $0))
export JQ_DIR=${SCRIPTS_DIR}/../jq
function show_help() {
cat << __EOF__
Usage: $(basename $0) -r ROLENAME|ARN [OPTIONS] [--] [COMMAND [ARGS]]
Assume Credentials from another IAM Role and either print them
in a form suitable for eval(1) or run 'command' with these
Credentials in the environment.
COMMAND Run the COMMAND with ARGS using the assumed IAM Role's creds.
Prepend '--' if the command has arguments starting with '-'.
-c ROLES.CSV Path to the config file with IAM Role ARNs.
Optional, not needed if using '-r ARN', only needed
when using '-r ROLENAME'.
-p PROFILE AWS-CLI Profile name as defined in ~/.aws/config.
Optional, will use default or instance meta-data if
not specified.
-g REGION AWS Region to query. Optional if PROFILE has region set.
-r ROLENAME or -r ARN
Name of IAM Role from ROLES.CSV or IAM Role ARN to assume.
-s SECONDS Generated credentials will be valid for given number
of SECONDS. Minimum is 900 (=15 minutes), max 43200 (=12 hour).
Validity longer than 1 hour must be explicitly permitted
in the target role configuration. Default is 3600 (= 1 hour).
-m MFA-SERIAL
MFA serial number / ARN. Optional. Typical format is:
arn:aws:iam::123456789012:mfa/user.name
-l List role names from ROLES.CSV
-h Display help.
Visit https://aws.nz/aws-utils/assume-role for more info and usage examples.
__EOF__
exit 1
}
function fatal() {
echo $1 >&2
exit 1
}
AWS=$(which aws 2>/dev/null) || true
test -z "${AWS}" && fatal "The 'aws' utility not found. Please install it or add its location to \$PATH"
JQ=$(which jq 2>/dev/null) || true
test -z "${JQ}" && fatal "The 'jq' utility not found. Please install it or add its location to \$PATH"
VALIDITY_SECONDS=3600
while getopts "c:g:hlm:p:r:s:" OPT; do
case "${OPT}" in
c)
ROLES_CSV="${OPTARG}"
test -f "${ROLES_CSV}" || fatal "Error: -c ${ROLES_CSV}: File not found"
;;
g)
AWS="${AWS} --region=${OPTARG}"
export AWS_DEFAULT_REGION=${OPTARG}
;;
m)
MFA_SERIAL="${OPTARG}"
;;
p)
AWS="${AWS} --profile=${OPTARG}"
;;
r)
ROLE_NAME="${OPTARG}"
;;
s)
VALIDITY_SECONDS="${OPTARG}"
test "${VALIDITY_SECONDS}" -ge 900 -a "${VALIDITY_SECONDS}" -le 43200 || \
fatal "Error: -s ${VALIDITY_SECONDS}: Must be from 900 to 43200 seconds"
;;
l)
LIST=1
;;
h)
show_help
;;
esac
done
shift $(($OPTIND - 1))
if [ "${ROLE_NAME:0:12}" = "arn:aws:iam:" ]; then
# We've got ROLE_ARN - no need to parse the config file.
ROLE_ARN=${ROLE_NAME}
ROLE_NAME=$(cut -d/ -f2 <<< ${ROLE_ARN})
else
test -z "${ROLES_CSV}" && fatal "Need Role ARN (-r arn:aws:iam:...) or Config file (-c /path/to/roles.csv). See -h for help."
# List available roles
if [ -n "${LIST}" ]; then
awk -F\| 'NR>1 && /^[^$]/{print $1 " - " $2}' ${ROLES_CSV}
exit
fi
# Resolve ROLE_NAME to ROLE_ARN
eval $(awk -F\| -v role=${ROLE_NAME} -v retval=1 -v IGNORECASE=1 'NR==1{split($0, varnames);} NR>1 && $1 == role{ for (nf=1; nf<=NF; nf++) { print "export VAR_" varnames[nf] "=" $nf } retval=0} END{exit retval}' ${ROLES_CSV})
if [ -z "${VAR_ARN}" ]; then
echo "Role '${ROLE_NAME}' not found in ${ROLES_CSV}. Try: $0 -c ${ROLES_CSV} -l" >&2
exit 1
fi
ROLE_ARN=${VAR_ARN}
fi
ROLE_JSON=$(${AWS} sts assume-role --role-arn ${ROLE_ARN} --role-session-name ${ROLE_NAME}_$(date +%s) --duration-seconds ${VALIDITY_SECONDS} ${MFA_SERIAL:+--serial-number ${MFA_SERIAL}})
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
# Obsolete variables - unset them anyway to prevent credentials mismatch
# See below for emitting them again
unset AWS_SECURITY_TOKEN
AWS_ENV_VARS=$(${JQ} -r '
@text "export AWS_ACCESS_KEY_ID=\"\(.Credentials.AccessKeyId)\"",
@text "export AWS_SECRET_ACCESS_KEY=\"\(.Credentials.SecretAccessKey)\"",
@text "export AWS_SESSION_TOKEN=\"\(.Credentials.SessionToken)\"",
@text "export AWS_SECURITY_TOKEN=\"\(.Credentials.SessionToken)\""
' <<< ${ROLE_JSON})
if [ $# -gt 0 ]; then
eval "${AWS_ENV_VARS}"
exec "$@"
else
echo "${AWS_ENV_VARS}"
test -n "${AWS_DEFAULT_REGION}" && echo "export AWS_DEFAULT_REGION=\"${AWS_DEFAULT_REGION}\"" || true
fi