Last active
August 31, 2022 08:26
-
-
Save richard-wallintin/ab883de9232b27d4ce22488d1d4ccf5d to your computer and use it in GitHub Desktop.
bash/zsh script to perform assume-role and/or MFA login in AWS and set environment variables + script to perform docker login with ECR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This file can be called as program | |
| # (it will output the assignment of the REGISTRY environment variable for convenience with `eval $(aws-ecr-login)`) | |
| # OR sourced in .bashrc or .zshrc | |
| # (in that case it will directy set the REGISTRY environment variable and have no output) | |
| function aws-ecr-login { | |
| if [ -z "${AWS_REGION:-}" ]; then | |
| echo "environment variable AWS_REGION required" >&2 | |
| return 1 | |
| fi | |
| if [ -z "${REGISTRY:-}" ]; then | |
| if [ -z "${AWS_ACCOUNT_ID:-}" ]; then | |
| echo "environment variable REGISTRY or AWS_ACCOUNT_ID required" >&2 | |
| return 1 | |
| fi | |
| export REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | |
| if [ -n "${output_for_eval:-}" ]; then | |
| echo "export REGISTRY=$REGISTRY" | |
| fi | |
| fi | |
| aws ecr get-login-password --region "$AWS_REGION" | docker login --username AWS --password-stdin "$REGISTRY" >&2 | |
| } | |
| if [[ $_ = $0 ]]; then | |
| output_for_eval=1 aws-ecr-login "$@" | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Either use this file as a script you call with the profile name as optional parameter | |
| # it will print the resulting environment variable assignments | |
| # | |
| # OR source it (in you bashrc/zshrc) and use the aws-login function, which will | |
| # automatically set the variables on the calling shell | |
| # | |
| function aws-profile { | |
| export AWS_PROFILE="$*" | |
| # export AWS_DEFAULT_PROFILE="$AWS_PROFILE" | |
| export AWS_SDK_LOAD_CONFIG=1 | |
| } | |
| function aws-login { | |
| profile="$AWS_PROFILE" | |
| if [ -z "$profile" ]; then | |
| profile="$1" | |
| fi | |
| # the config (aka target) profile OR no profile at all | |
| cfg_profile_option=() | |
| if [ -n "$profile" ]; then | |
| cfg_profile_option=("--profile" "$profile") | |
| fi | |
| # optionally the source profile (may be empty) | |
| source_profile=$(aws configure get source_profile "${cfg_profile_option[@]}") | |
| # profile option either pointing to source profile or cfg profile or no profile | |
| profile_option=() | |
| if [ -n "$source_profile" ]; then | |
| profile_option=("--profile" "$source_profile") | |
| elif [ -n "$profile" ]; then | |
| profile_option=("--profile" "$profile") | |
| fi | |
| # prefer mfa_serial in target profile | |
| mfa_serial=$(aws configure get mfa_serial "${cfg_profile_option[@]}") | |
| if [ -z "$mfa_serial" ]; then | |
| # otherwise also look in source profile (if present) | |
| mfa_serial=$(aws configure get mfa_serial "${profile_option[@]}") | |
| fi | |
| mfa_parameters=() | |
| if [ -n "$mfa_serial" ]; then | |
| echo -n "MFA TOKEN ($mfa_serial)> " | |
| read mfa_token | |
| mfa_parameters=("--serial" "$mfa_serial" "--token-code" "$mfa_token") | |
| fi | |
| # role_arn is only supported on target profile | |
| role_arn=$(aws configure get role_arn "${cfg_profile_option[@]}") | |
| role_parameters=() | |
| command="get-session-token" | |
| if [ -n "$role_arn" ]; then | |
| command="assume-role" | |
| role_parameters=("--role-arn" "$role_arn" "--role-session-name" "cli-$profile") | |
| fi | |
| local json=$(aws sts $command "${mfa_parameters[@]}" "${role_parameters[@]}" "${profile_option[@]}" --output json) | |
| export AWS_ACCESS_KEY_ID=$(echo $json | jq -r '.Credentials.AccessKeyId') | |
| export AWS_SECRET_ACCESS_KEY=$(echo $json | jq -r '.Credentials.SecretAccessKey') | |
| export AWS_SESSION_TOKEN=$(echo $json | jq -r '.Credentials.SessionToken') | |
| export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
| # prefer target profile | |
| local region=$(aws configure get region "${cfg_profile_option[@]}") | |
| if [ -z "$region" ]; then | |
| # try again including source profile | |
| region=$(aws configure get region "${profile_option[@]}") | |
| fi | |
| if [ -n "$region" ]; then | |
| export AWS_REGION="$region" | |
| fi | |
| if [ -n "$aws_login_with_output" ]; then | |
| echo "export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" | |
| echo "export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" | |
| echo "export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN" | |
| if [ -n "$AWS_REGION" ]; then | |
| echo "export AWS_REGION=$AWS_REGION" | |
| fi | |
| echo "export AWS_REGION=$AWS_REGION" | |
| echo "export AWS_ACCOUNT_ID=$AWS_ACCOUNT_ID" | |
| fi | |
| } | |
| if [[ $_ = $0 ]]; then | |
| aws_login_with_output=1 aws-login "$@" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment