You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
3.2 KiB
Bash
88 lines
3.2 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2021-02-20 17:26:21 +0000 (Sat, 20 Feb 2021)
|
|
#
|
|
# https://github.com/HariSekhon/bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
#
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# shellcheck disable=SC1090
|
|
. "$srcdir/lib/aws.sh"
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
usage_description="
|
|
Creates an AWS service account for AWS CLI to avoid having to re-login every day via SSO with 'aws sso login'
|
|
|
|
Grants this service account Administator privileges in the current AWS account
|
|
|
|
Creates an IAM access key (deleting an older unused key if necessary), writes a CSV just as the UI download would, and outputs both shell export commands and configuration in the format for copying to your AWS profile in ~/.aws/credentials
|
|
|
|
The following optional arguments can be given:
|
|
|
|
- user name (default: \$USER-cli)
|
|
- keyfile (default: ~/.aws/keys/\${user}_\${aws_account_id}_accessKeys.csv) - be careful if specifying this, a non-existent keyfile will create a new key, deleting the older of 2 existing keys if necessary to be able to create this
|
|
|
|
This can also be used as a backup credential - this way if something accidentally happens to your AWS SSO you can still get into your account
|
|
|
|
Idempotent - safe to re-run, will skip creating a user that already exists or CSV export that already exists
|
|
|
|
|
|
$usage_aws_cli_required
|
|
"
|
|
|
|
# used by usage() in lib/utils.sh
|
|
# shellcheck disable=SC2034
|
|
usage_args="[<username> <keyfile> <group_or_policy>]"
|
|
|
|
help_usage "$@"
|
|
|
|
#min_args 1 "$@"
|
|
|
|
user="${1:-$USER-cli}"
|
|
|
|
aws_account_id="$(aws sts get-caller-identity --query Account --output text)"
|
|
|
|
access_keys_csv="${2:-$HOME/.aws/keys/${user}_${aws_account_id}_accessKeys.csv}"
|
|
|
|
group="${3:-Admins}"
|
|
policy="${3:-AdministratorAccess}"
|
|
|
|
export AWS_DEFAULT_OUTPUT=json
|
|
|
|
aws_create_user_if_not_exists "$user"
|
|
|
|
exports="$(aws_create_access_key_if_not_exists "$user" "$access_keys_csv")"
|
|
|
|
if aws iam list-groups | jq -e ".Groups[] | select(.GroupName == \"$group\")" >/dev/null; then
|
|
timestamp "Adding user '$user' to group '$group' on account '$aws_account_id'"
|
|
aws iam add-user-to-group --user-name "$user" --group-name "$group"
|
|
elif aws iam list-policies | jq -e ".Policies[] | select(.PolicyName == \"$policy\")" >/dev/null; then
|
|
#timestamp "Group '$group' not found in to account '$aws_account_id'"
|
|
timestamp "Granting policy '$policy' permissions directly to user '$user' in account '$aws_account_id'"
|
|
aws iam attach-user-policy --user-name "$user" --policy-arn "arn:aws:iam::aws:policy/$policy"
|
|
else
|
|
die "Neither group '$group' nor policy '$policy' was found to assign to user '$user' in account '$aws_account_id'"
|
|
fi
|
|
|
|
echo
|
|
echo "Set the following export commands in your environment to begin using this access key in your CLI immediately:"
|
|
echo
|
|
echo "$exports"
|
|
echo
|
|
echo "or add the following to your ~/.aws/credentials file:"
|
|
echo
|
|
aws_access_keys_exports_to_credentials <<< "$exports"
|
|
echo
|
|
echo
|