@@ -0,0 +1,96 @@
#
# Copyright (C) Andrei Belov ([email protected] )
#
# This is an example of direnv [1] .envrc file approaching the way
# of using awscli [2] with MFA-enabled accounts in a (more or less)
# secure manner.
#
# The following assumptions are expected:
#
# a) there should be two files, key.asc and skey.asc, containing
# AWS access key and secure access key, respectively, encrypted
# with GPG using a key specified in the DEFAULT_GPG_KEY
# environment variable;
#
# b) IAM user name equals local user name reported by whoami(1);
#
# c) IAM user has basic permissions to obtain general account details
# as well as personal settings like MFA devices.
#
# The policy outlined in the following document should work:
# https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html
#
# Honored environment variables:
#
# - DEFAULT_GPG_KEY (mandatory, no default): GPG key which is being
# used to decrypt initial credentials from key.asc and skey.asc,
# as well as to encrypt IAM user session credentials in order to
# keep them in a temporary file;
#
# - AWS_SESSION_TOKEN_DURATION (default is 900): the duration, in seconds,
# that the credentials should remain valid. Acceptable durations
# for IAM user sessions range from 900 seconds (15 minutes) to 129600
# seconds (36 hours).
#
# Also it's worth to increase DIRENV_WARN_TIMEOUT to something greater
# than the default (5s) in order to avoid unnecessary warnings.
#
# [1] https://direnv.net
# [2] https://github.com/aws/aws-cli
#
umask 077
if [ -z " ${DEFAULT_GPG_KEY} " ; then
echo " Please set DEFAULT_GPG_KEY" >&2
exit 1
fi
if [ -z " ${AWS_SESSION_TOKEN_DURATION} " ; then
export AWS_SESSION_TOKEN_DURATION=900
fi
export AWS_DEFAULT_REGION=us-east-1
export AWS_ACCESS_KEY_ID=` cat key.asc | gpg2 -d -r ${DEFAULT_GPG_KEY} --no-tty 2> /dev/null`
export AWS_SECRET_ACCESS_KEY=` cat skey.asc | gpg2 -d -r ${DEFAULT_GPG_KEY} --no-tty 2> /dev/null`
HASMFA=1
WHOAMI=` whoami`
MFASERIAL=` aws --output text iam list-mfa-devices --user-name ${WHOAMI} --query ' MFADevices[0].SerialNumber' `
if [ x" ${MFASERIAL} " = x" None" ; then
HASMFA=0
fi
if [ ${HASMFA} -eq 1 ]; then
ACCOUNT=` aws --output text sts get-caller-identity --query ' Account' `
TMPSTATE=/tmp/${ACCOUNT} .asc
GETNEW=1
if [ -e ${TMPSTATE} ]; then
TOKENAGE=$(( `date +% s` - `stat - f '% m' ${TMPSTATE} `))
if [ ${TOKENAGE} -lt ${AWS_SESSION_TOKEN_DURATION} ]; then
GETNEW=0
fi
fi
if [ ${GETNEW} -eq 1 ]; then
ACCOUNTALIAS=` aws --output text iam list-account-aliases --query ' AccountAliases[0]' `
if [ x" ${ACCOUNTALIAS} " = x" None" ; then
echo -n " MFA code for ${WHOAMI} @${ACCOUNT} : "
else
echo -n " MFA code for ${WHOAMI} @${ACCOUNTALIAS} : "
fi
read TOKENCODE
STS=` aws --output text sts get-session-token --serial-number " ${MFASERIAL} " ${TOKENCODE} --duration ${AWS_SESSION_TOKEN_DURATION} `
echo ${STS} | gpg2 -ae -r ${DEFAULT_GPG_KEY} > ${TMPSTATE}
else
STS=` cat ${TMPSTATE} | gpg2 -d -r ${DEFAULT_GPG_KEY} --no-tty 2> /dev/null`
fi
export AWS_ACCESS_KEY_ID=` echo ${STS} | awk ' {print $2}' `
export AWS_SECRET_ACCESS_KEY=` echo ${STS} | awk ' {print $4}' `
export AWS_SESSION_TOKEN=` echo ${STS} | awk ' {print $5}' `
fi
defanator created this gist