Read token as input for mfa script and added new assume_role script

README.md

@@ -23,12 +23,47 @@ The MFA code is the code your MFA device gives you.
 At a command prompt run the following command.
 
 ```bash
-mfa <mfacode> <optional-aws-profile>
+mfa <optional-aws-profile> <optional-token-duration>
 ```
 
+Or you can just run "mfa" and it will use the default profile and a default time duration.
+For usage execute "mfa -h".
+
 ### Alias Note
 
 Scripts run in a subprocess of the calling shell.  This means that 
 if you attempt to set the env vars in the script, they will only persist
 inside that subprocess.  The `alias.sh` script sets an alias function to source the env vars into your main shell whenever you 
 run the `mfa` command.
+
+### Assume role helper
+
+Also added a assume_role script that works very similar as mfa script, uses roles.cfg for the assuming any roles.
+
+To use this with MFA make sure your policies have the following:
+
+```bash
+"Condition": {
+        "Bool": {
+            "aws:MultiFactorAuthPresent": "true"
+        }
+}
+```
+For further reference: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
+
+### Assume Role Usage:
+
+Copy `SAMPLE-roles.cfg` to `~/roles.cfg`
+
+Assume role using assume_role script.
+
+```bash
+assume_role <alias-role-on-role.cfg>
+```
+
+### Clear Creds
+There is also an script to clear the environment credentials. This is helpful if you are moving from one role to another without having to wait for the duration of the token to expire.
+
+```bash
+clear_creds
+```

SAMPLE-roles.cfg

@@ -0,0 +1,2 @@
+role1="arn:aws:iam::12345:role/myFirstRole"
+role2="arn:aws:iam::23456:role/mySecondRole"

alias.sh

@@ -4,4 +4,16 @@ setToken() {
     source ~/.token_file
     echo "Your creds have been set in your env."
 }
+AssumeRole() {
+    ~/assume_role.sh $1
+    source ~/.token_file
+    echo "Your creds have been set in your env."
+}
+clearToken() {
+    ~/mfa-clear.sh
+    source ~/.token_file
+    echo "Your creds have been cleared."
+}
 alias mfa=setToken
+alias clear_creds=clearToken
+alias assume_role=AssumeRole

assume_role.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# set -x
+#
+# Once the temp token is obtained, you'll need to feed the following environment
+# variables to the aws-cli:
+#
+# export AWS_ACCESS_KEY_ID='KEY'
+# export AWS_SECRET_ACCESS_KEY='SECRET'
+# export AWS_SESSION_TOKEN='TOKEN'
+
+AWS_CLI=`which aws`
+
+if [ $? -ne 0 ]; then
+  echo "AWS CLI is not installed; exiting"
+  exit 1
+else
+  echo "Using AWS CLI found at $AWS_CLI"
+fi
+
+if [ -z ~/.token_file ]
+then
+    source ~/..token_file
+fi
+
+# 1 argument is ok
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <AWS_CLI_ROLE>"
+    echo "Where:"
+    echo "   <AWS_CLI_ROLE> = aws role in $HOME/roles.cfg"
+    exit 2
+fi
+
+echo "Reading config..."
+if [ ! -r ~/roles.cfg ]; then
+  echo "No config found.  Please create your mfa.cfg.  See README.txt for more info."
+  exit 2
+fi
+
+AWS_CLI_ROLE=${1:-default}
+DURATION=${2:-129600}
+ARN_OF_ROLE=$(grep "^$AWS_CLI_ROLE" ~/roles.cfg | cut -d '=' -f2- | tr -d '"')
+
+echo "AWS-CLI ROLE: $AWS_CLI_ROLE"
+echo "ROLE ARN: $ARN_OF_ROLE"
+
+echo "Your Temporary Creds:"
+aws sts assume-role --role-arn $ARN_OF_ROLE \
+    --role-session-name $AWS_CLI_ROLE --query "Credentials" --output text \
+  | awk '{printf("export AWS_ACCESS_KEY_ID=\"%s\"\nexport AWS_SECRET_ACCESS_KEY=\"%s\"\nexport AWS_SESSION_TOKEN=\"%s\"\nexport AWS_SECURITY_TOKEN=\"%s\"\n",$1,$3,$4,$4)}' | tee ~/.token_file

mfa-clear.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# set -x
+# Use unset to clear env vars
+
+echo "unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset export AWS_SESSION_TOKEN" > ~/.token_file

mfa.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# set -x
 #
 # Sample for getting temp session token from AWS STS
 #
@@ -21,30 +22,35 @@ else
   echo "Using AWS CLI found at $AWS_CLI"
 fi
 
-# 1 or 2 args ok
-if [[ $# -ne 1 && $# -ne 2 ]]; then
-  echo "Usage: $0 <MFA_TOKEN_CODE> <AWS_CLI_PROFILE>"
-  echo "Where:"
-  echo "   <MFA_TOKEN_CODE> = Code from virtual MFA device"
-  echo "   <AWS_CLI_PROFILE> = aws-cli profile usually in $HOME/.aws/config"
-  exit 2
-fi
+# Helper
+while getopts ":h" option; do
+    case $option in
+        h) # display Help
+            echo "Usage: $0 <AWS_CLI_PROFILE> <TOKEN_DURATION>"
+            echo "Where:"
+            echo "   <AWS_CLI_PROFILE>(Optional) = aws-cli profile usually in $HOME/.aws/config"
+            echo "   <TOKEN_DURATION>(Optional) = Token code duration time (default 129600)"
+            exit;;
+        esac
+done
 
 echo "Reading config..."
 if [ ! -r ~/mfa.cfg ]; then
   echo "No config found.  Please create your mfa.cfg.  See README.txt for more info."
   exit 2
 fi
 
-AWS_CLI_PROFILE=${2:-default}
-MFA_TOKEN_CODE=$1
+echo -n "Enter your MFA Token: " >&2
+read -s MFA_TOKEN_CODE
+AWS_CLI_PROFILE=${1:-default}
+DURATION=${2:-129600}
 ARN_OF_MFA=$(grep "^$AWS_CLI_PROFILE" ~/mfa.cfg | cut -d '=' -f2- | tr -d '"')
 
 echo "AWS-CLI Profile: $AWS_CLI_PROFILE"
 echo "MFA ARN: $ARN_OF_MFA"
 echo "MFA Token Code: $MFA_TOKEN_CODE"
 
 echo "Your Temporary Creds:"
-aws --profile $AWS_CLI_PROFILE sts get-session-token --duration 129600 \
+aws --profile $AWS_CLI_PROFILE sts get-session-token --duration $DURATION \
   --serial-number $ARN_OF_MFA --token-code $MFA_TOKEN_CODE --output text \
   | awk '{printf("export AWS_ACCESS_KEY_ID=\"%s\"\nexport AWS_SECRET_ACCESS_KEY=\"%s\"\nexport AWS_SESSION_TOKEN=\"%s\"\nexport AWS_SECURITY_TOKEN=\"%s\"\n",$2,$4,$5,$5)}' | tee ~/.token_file