Created
January 9, 2025 04:24
-
-
Save adamcousins/d0770ff2349b6330839a7a5710a17bee to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #usage | |
| #script.sh attach role_name | |
| #script.sh detach role_name | |
| ROLE_NAME="$2" | |
| DENYPOLICY_ARN="arn:aws:iam::aws:policy/AWSDenyAll" | |
| MODE="$1" | |
| for acc in `aws organizations list-accounts --query 'Accounts[*].Id' --output text `; | |
| do | |
| echo "checking account $acc now";\ | |
| OUT=$(aws sts assume-role --role-arn arn:aws:iam::$acc:role/OrganizationAccountAccessRole --role-session-name ckecking-account-$acc);\ | |
| export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');\ | |
| export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');\ | |
| export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken'); | |
| echo "${MODE}ing $DENYPOLICY_ARN to $ROLE_NAME" | |
| if [[ "$MODE" == "attach" ]]; then | |
| aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn $DENYPOLICY_ARN | |
| elif [[ "$MODE" == "detach" ]]; then | |
| aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn $DENYPOLICY_ARN | |
| else | |
| echo "unknown mode" | |
| fi | |
| echo "checking account $acc completed";\ | |
| unset AWS_ACCESS_KEY_ID;\ | |
| unset AWS_SECRET_ACCESS_KEY;\ | |
| unset AWS_SESSION_TOKEN;\ | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment