From 763afce3188f13ff83766f0d0f11ebe47004b35f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Harper?= Date: Thu, 7 Dec 2023 17:31:12 -0500 Subject: [PATCH] chore: add a script to assume AWS role more easily --- tools/aws-assume-role.sh | 64 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100755 tools/aws-assume-role.sh diff --git a/tools/aws-assume-role.sh b/tools/aws-assume-role.sh new file mode 100755 index 000000000..30130d027 --- /dev/null +++ b/tools/aws-assume-role.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# This script helps you assume the AssumedAdmin role you either created manually or using the Terraform plan from ws-create-role.tf +# +# Requirement: aws-cli installed (see https://github.com/aws/aws-cli) +# +# Replace the AWS account ID `111111111111` in the `ROLE` variable with yours. If you give the admin a different name than `AssumedAdmin`, please update it also. +# +# Ensure that the default values fit your needs (i.e., role session name, duration of assume role...) +# +# Before running the script, ensure you have credentials. configure with the AWS CLI. To do so, run +# aws configure +# +# To run this script +# ./aws-assume-role.sh +# + +# +# Change the AWS account ID & role name +# +ROLE="arn:aws:iam::126827061464:role/KubernetesAdmin" + +# +# You can leave the rest of thre script as is +# + +# An identifier for the assumed role session: you can change it if you want. +ROLE_SESSION_NAME="AssumedAdmin-kubefirst" + +# Colors for formatting +YELLOW="\033[1;93m" +NOFORMAT="\033[0m" +BOLD="\033[1m" + +# Backup the previous credentials +if [ -f "~/.aws/credentials" ] +then + mv ~/.aws/credentials ~/.aws/credentials.bak +fi + +# Unset previously set AWS access environment variables +unset AWS_ACCESS_KEY_ID +unset AWS_SECRET_ACCESS_KEY +unset AWS_SESSION_TOKEN + +# Retrieving the connected user +USER=$(aws sts get-caller-identity | jq -r .Arn | cut -d'/' -f 2) + +if [ $(echo "$USER" | grep -v "Unable to locate credentials") ] +then + # Assuming the new role for 12 hours. You can change the `--duration-seconds` to shorter timeout for security reason. + JSON=$(aws sts assume-role --role-arn "${ROLE}" --role-session-name "${ROLE_SESSION_NAME}" --duration-seconds 43200) + export AWS_ACCESS_KEY_ID=$(echo $JSON | jq -r .Credentials.AccessKeyId) + export AWS_SECRET_ACCESS_KEY=$(echo $JSON | jq -r .Credentials.SecretAccessKey) + export AWS_SESSION_TOKEN=$(echo $JSON | jq -r .Credentials.SessionToken) + unset JSON + + # Display useful information for UI installation + echo -e "\n${YELLOW}Started session for user ${NOFORMAT}${BOLD}${USER}${NOFORMAT}${YELLOW} assuming ${NOFORMAT}${BOLD}${ROLE}${NOFORMAT}\n" + echo -e "${BOLD}AWS_ACCESS_KEY_ID: ${NOFORMAT} ${AWS_ACCESS_KEY_ID}" + echo -e "${BOLD}AWS_SECRET_ACCESS_KEY:${NOFORMAT} ${AWS_SECRET_ACCESS_KEY}" + echo -e "${BOLD}AWS_SESSION_TOKEN: ${NOFORMAT} ${AWS_SESSION_TOKEN}" +fi