mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2024-12-01 18:20:08 +00:00
fix(aws): fix acp function for MFA without role and other fixes (#9426)
* fix(aws): don't duplicate aws_prompt_info function in RPROMPT * refactor(aws): clean up logic in acp function and fix session duration input Fixes #9409
This commit is contained in:
parent
fc82aff77c
commit
dc4692b53e
1 changed files with 65 additions and 58 deletions
|
@ -26,7 +26,8 @@ function asp() {
|
||||||
# AWS profile switch
|
# AWS profile switch
|
||||||
function acp() {
|
function acp() {
|
||||||
if [[ -z "$1" ]]; then
|
if [[ -z "$1" ]]; then
|
||||||
unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
|
unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
|
||||||
|
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
|
||||||
echo AWS profile cleared.
|
echo AWS profile cleared.
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
@ -39,73 +40,79 @@ function acp() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)"
|
local profile="$1"
|
||||||
local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)"
|
|
||||||
local aws_session_token="$(aws configure get aws_session_token --profile $1)"
|
# Get fallback credentials for if the aws command fails or no command is run
|
||||||
local mfa_serial="$(aws configure get mfa_serial --profile $1)"
|
local aws_access_key_id="$(aws configure get aws_access_key_id --profile $profile)"
|
||||||
local role_arn="$(aws configure get role_arn --profile $1)"
|
local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $profile)"
|
||||||
|
local aws_session_token="$(aws configure get aws_session_token --profile $profile)"
|
||||||
|
|
||||||
|
|
||||||
# First, if the profile has MFA configured, lets get the token and session duration
|
# First, if the profile has MFA configured, lets get the token and session duration
|
||||||
local mfa_opt=""
|
local mfa_serial="$(aws configure get mfa_serial --profile $profile)"
|
||||||
|
|
||||||
if [[ -n $mfa_serial ]]; then
|
if [[ -n "$mfa_serial" ]]; then
|
||||||
local mfa_token=""
|
local -a mfa_opt
|
||||||
echo "Please enter your MFA token for $mfa_serial:"
|
local mfa_token sess_duration
|
||||||
|
echo -n "Please enter your MFA token for $mfa_serial: "
|
||||||
read -r mfa_token
|
read -r mfa_token
|
||||||
echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):"
|
echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): "
|
||||||
read -r sess_duration
|
read -r sess_duration
|
||||||
if [[ -z $sess_duration ]]; then
|
mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}")
|
||||||
sess_duration="3600"
|
|
||||||
fi
|
|
||||||
mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Now see whether we need to just MFA for the current role, or assume a different one
|
# Now see whether we need to just MFA for the current role, or assume a different one
|
||||||
local credentials_output=""
|
local role_arn="$(aws configure get role_arn --profile $profile)"
|
||||||
if [[ -n $role_arn ]]; then
|
|
||||||
|
if [[ -n "$role_arn" ]]; then
|
||||||
# Means we need to assume a specified role
|
# Means we need to assume a specified role
|
||||||
|
aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}")
|
||||||
|
|
||||||
# Check whether external_id is configured to use while assuming the role
|
# Check whether external_id is configured to use while assuming the role
|
||||||
local ext_id="$(aws configure get external_id --profile $1)"
|
local external_id="$(aws configure get external_id --profile "$profile")"
|
||||||
local extid_opt=""
|
if [[ -n "$external_id" ]]; then
|
||||||
if [[ -n $ext_id ]]; then
|
aws_command+=(--external-id "$external_id")
|
||||||
extid_opt="--external-id $ext_id"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Get source profile to use to assume role
|
# Get source profile to use to assume role
|
||||||
local profile=$1
|
local source_profile="$(aws configure get source_profile --profile "$profile")"
|
||||||
local source_profile="$(aws configure get source_profile --profile "$1")"
|
aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${source_profile:-profile}")
|
||||||
if [[ -n $source_profile ]]; then
|
|
||||||
profile=$source_profile
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Assuming role $role_arn using profile $profile"
|
echo "Assuming role $role_arn using profile ${source_profile:-profile}"
|
||||||
local assume_cmd=(aws sts assume-role "--profile=$profile" "--role-arn $role_arn" "--role-session-name $profile" "$mfa_opt" "$extid_opt"
|
else
|
||||||
"--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'")
|
|
||||||
credentials_output="$(eval "${assume_cmd[@]}")"
|
|
||||||
elif [[ -n $mfa_opt ]]; then
|
|
||||||
# Means we only need to do MFA
|
# Means we only need to do MFA
|
||||||
|
aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}")
|
||||||
echo "Obtaining session token for profile $profile"
|
echo "Obtaining session token for profile $profile"
|
||||||
local get_token_cmd=(aws sts get-session-token "--profile=$profile" "$mfa_opt"
|
|
||||||
"--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'")
|
|
||||||
credentials_output="$(eval "${get_token_cmd[@]}")"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n $credentials_output ]]; then
|
# Format output of aws command for easier processing
|
||||||
local credentials=("${(f)credentials_output}")
|
aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text)
|
||||||
aws_access_key_id=${credentials[1]}
|
|
||||||
aws_secret_access_key=${credentials[2]}
|
# Run the aws command to obtain credentials
|
||||||
aws_session_token=${credentials[3]}
|
local -a credentials
|
||||||
|
credentials=(${(ps:\t:)"$(${aws_command[@]})"})
|
||||||
|
|
||||||
|
if [[ -n "$credentials" ]]; then
|
||||||
|
aws_access_key_id="${credentials[1]}"
|
||||||
|
aws_secret_access_key="${credentials[2]}"
|
||||||
|
aws_session_token="${credentials[3]}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n $aws_access_key_id && -n $aws_secret_access_key ]]; then
|
# Switch to AWS profile
|
||||||
export AWS_DEFAULT_PROFILE=$1
|
if [[ -n "${aws_access_key_id}" && -n "$aws_secret_access_key" ]]; then
|
||||||
export AWS_PROFILE=$1
|
export AWS_DEFAULT_PROFILE="$profile"
|
||||||
export AWS_EB_PROFILE=$1
|
export AWS_PROFILE="$profile"
|
||||||
export AWS_ACCESS_KEY_ID=$aws_access_key_id
|
export AWS_EB_PROFILE="$profile"
|
||||||
export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key
|
export AWS_ACCESS_KEY_ID="$aws_access_key_id"
|
||||||
[[ -z "$aws_session_token" ]] && unset AWS_SESSION_TOKEN || export AWS_SESSION_TOKEN=$aws_session_token
|
export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key"
|
||||||
echo "Switched to AWS Profile: $1"
|
|
||||||
|
if [[ -n "$aws_session_token" ]]; then
|
||||||
|
export AWS_SESSION_TOKEN="$aws_session_token"
|
||||||
|
else
|
||||||
|
unset AWS_SESSION_TOKEN
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Switched to AWS Profile: $profile"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,7 +148,7 @@ function aws_prompt_info() {
|
||||||
echo "${ZSH_THEME_AWS_PREFIX:=<aws:}${AWS_PROFILE}${ZSH_THEME_AWS_SUFFIX:=>}"
|
echo "${ZSH_THEME_AWS_PREFIX:=<aws:}${AWS_PROFILE}${ZSH_THEME_AWS_SUFFIX:=>}"
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ "$SHOW_AWS_PROMPT" != false ]; then
|
if [[ "$SHOW_AWS_PROMPT" != false && "$RPROMPT" != *'$(aws_prompt_info)'* ]]; then
|
||||||
RPROMPT='$(aws_prompt_info)'"$RPROMPT"
|
RPROMPT='$(aws_prompt_info)'"$RPROMPT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue