diff --git a/README.md b/README.md index d4a5779..cd030f1 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,34 @@ -# Fetch IAM keys and secrets from a AWS credentials file +# get-aws-profile-bash + + + +## Fetch AWS keys and secrets from a AWS credentials file This is a pure bash script that can parse and extract AWS credentials (key id and secret) from a `~/.aws/credentials` file. -``` +```bash $ ./get-aws-profile.sh --help -Usage: ./get-aws-profile.sh [--credentials=] [--profile=] [--key|--secret] +Usage: ./get-aws-profile.sh [--credentials=] [--profile=] [--key|--secret|--session-token] + Default --credentials is '~/.aws/credentials' Default --profile is 'default' - By default environment variables are generate, e.g. + + By default environment variables are generated, e.g. source $(./get-aws-profile.sh --profile=myprofile) - You can specify one --key or --secret to get just that value, with no line break, + + You can specify one of --key, --secret, -or --session-token to get just that value, with no line break: FOO_KEY=$(./get-aws-profile.sh --profile=myprofile --key) FOO_SECRET=$(./get-aws-profile.sh --profile=myprofile --secret) + FOO_SESSION_TOKEN=$(./get-aws-profile.sh --profile=myprofile --session-token) ``` -## Set environment variables for 'my-example' profile +## Examples -``` +### Set environment variables for 'my-example' profile + +```bash $ ./get-aws-profile.sh --profile my-example export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY @@ -26,7 +38,7 @@ $ eval $(./get-aws-profile.sh --profile my-example) ## Get key and secret for 'my-example' profile -``` +```bash $ ./get-aws-profile.sh --profile my-example --key AKIAIOSFODNN7EXAMPLE @@ -34,12 +46,12 @@ $ ./get-aws-profile.sh --profile my-example --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY $ export AWS_ACCESS_KEY_ID=$(./get-aws-profile.sh --profile my-example --key) -$ export AWS_SECRET_ACCESS_KEY=$(./get-aws-profile.sh --profile my-example --secret) +$ export AWS_SECRET_ACCESS_KEY=$(./get-aws-profile.sh --profile my-example --secret) ``` ## Get key and secret for 'default' profile from a custom 'ini' file -``` +```bash $ ./get-aws-profile.sh --credentials /foo/bar/my-creds-file --key AKIAIOSFODNN7EXAMPLE @@ -48,9 +60,10 @@ wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` ## AWS Credentials file format + The AWS credentials file format appears to follow the old [Windows 'ini' file format](https://en.wikipedia.org/wiki/INI_file). Check the [AWS documentation](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for more information. -``` +```ini [default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY @@ -60,8 +73,14 @@ aws_access_key_id=AKIAI44QH8DHBEXAMPLE aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY ``` -# Rationale -I often need to include an AWS key id and secret in deployment scripts. Yet I don't want to actually include the credentials in the script or in the git repository. Many AWS client support storing AWS credentials in an `~/.aws/credentials` files and using a `--profile` argument or `AWS_DEFAULT_PROFILE` environment variable. However other tools only work by setting the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables. Sometimes you need to inject these credentials into stored secrets or configurations. This script helps script these tasks whilst keeping the credentials out of your scripts and repository. I wanted a pure bash solution I could include in automated build and deployment environments. +## Rationale + +I often need to include an AWS key id and secret in deployment scripts. Yet I don't want to actually include the credentials in the script or in the git repository. + +Many AWS client tools support storing AWS credentials in the `~/.aws/credentials` file and using a `--profile` argument or `AWS_DEFAULT_PROFILE` environment variable. However other tools only work by setting the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables. Sometimes you need to inject these credentials into stored secrets or configurations. + +This script helps script these tasks whilst keeping the credentials out of your scripts and repository. I wanted a pure bash solution I could include in automated build and deployment environments. + +## Credits -# Credits The really cool part of this script is the ['ini' file parser written by Andres J. Diaz](https://web.archive.org/web/20180826221418/http://theoldschooldevops.com/2008/02/09/bash-ini-parser/). diff --git a/get-aws-profile.sh b/get-aws-profile.sh index 39b8d2b..bea7d8d 100755 --- a/get-aws-profile.sh +++ b/get-aws-profile.sh @@ -39,8 +39,9 @@ cfg_parser () # echo a message to standard error (used for messages not intended # to be parsed by scripts, such as usage messages, warnings or errors) -echo_stderr() { - echo "$@" >&2 +echo_stderr () +{ + printf '%s\n' "$@" >&2 } # @@ -50,14 +51,17 @@ echo_stderr() { display_usage () { echo_stderr "Usage: $0 [--credentials=] [--profile=] [--key|--secret|--session-token]" - echo_stderr " Default --credentials is '~/.aws/credentials'" + echo_stderr "" + echo_stderr " Default --credentials is '${HOME}/.aws/credentials'" echo_stderr " Default --profile is 'default'" - echo_stderr " By default environment variables are generate, e.g." - echo_stderr " source \$($0 --profile=myprofile)" - echo_stderr " You can specify one of --key, --secret, -or --session-token to get just that value, with no line break," - echo_stderr " FOO_KEY=\$($0 --profile=myprofile --key)" - echo_stderr " FOO_SECRET=\$($0 --profile=myprofile --secret)" - echo_stderr " FOO_SESSION_TOKEN=\$($0 --profile=myprofile --session-token)" + echo_stderr "" + echo_stderr " By default environment variables are generated, e.g." + echo_stderr " source \$($0 --profile=${PROFILE:-myprofile})" + echo_stderr "" + echo_stderr " You can specify one of --key, --secret, -or --session-token to get just that value, with no line break:" + echo_stderr " FOO_KEY=\$($0 --profile=${PROFILE:-myprofile} --key)" + echo_stderr " FOO_SECRET=\$($0 --profile=${PROFILE:-myprofile} --secret)" + echo_stderr " FOO_SESSION_TOKEN=\$($0 --profile=${PROFILE:-myprofile} --session-token)" } for i in "$@" @@ -89,7 +93,7 @@ case $i in ;; *) # unknown option - echo "Unknown option $1" + echo_stderr "Unknown option $1" display_usage exit 1 ;; @@ -100,7 +104,7 @@ done # Check options # -CREDENTIALS=${CREDENTIALS:-~/.aws/credentials} +CREDENTIALS="${CREDENTIALS:-"${HOME}/.aws/credentials"}" PROFILE=${PROFILE:-default} SHOW_KEY=${SHOW_KEY:-false} SHOW_SECRET=${SHOW_SECRET:-false} @@ -134,15 +138,16 @@ if [[ $? -ne 0 ]]; then fi if [[ "${SHOW_KEY}" = false && "${SHOW_SECRET}" = false && "${SHOW_SESSION_TOKEN}" = false ]]; then - echo "export AWS_ACCESS_KEY_ID=${aws_access_key_id}" - echo "export AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}" - echo "export AWS_SESSION_TOKEN=${aws_session_token}" + echo_stderr "# Profile: ${PROFILE}" + printf 'export AWS_ACCESS_KEY_ID=%s\n' "${aws_access_key_id}" + printf 'export AWS_SECRET_ACCESS_KEY=%s\n' "${aws_secret_access_key}" + printf 'export AWS_SESSION_TOKEN=%s\n' "${aws_session_token}" elif [[ "${SHOW_KEY}" = true ]]; then - echo -n "${aws_access_key_id}" + printf '%s' "${aws_access_key_id}" elif [[ "${SHOW_SECRET}" = true ]]; then - echo -n "${aws_secret_access_key}" + printf '%s' "${aws_secret_access_key}" elif [[ "${SHOW_SESSION_TOKEN}" = true ]]; then - echo -n "${aws_session_token}" + printf '%s' "${aws_session_token}" else echo_stderr "Unknown error" exit 9