Last active
February 8, 2019 15:20
-
-
Save ckizziar/a60a84a6a148a8fd7b0ef536409352d3 to your computer and use it in GitHub Desktop.
Script to validate Okta session and set AWS environment variables.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # | |
| # aws-auth - Fetch valid credentials from aws credentials | |
| # file and export as environment variables. Checks to | |
| # ensure the provided profile has been configured in the | |
| # okta-aws-cli-assume-role 'profiles' file in ~/.okta | |
| # Also validates profile expiration time, and renews | |
| # the STS token if the profile is expired. | |
| # | |
| # Chris Kizziar <[email protected]>, 2019 | |
| # | |
| # Configure: Create a shell function to source this file, | |
| # otherwise environment variables will not be available to | |
| # the parent shell. Example for zsh: | |
| # } | |
| # function okta-auth { | |
| # . okta_setprofile $1 | |
| # } | |
| # | |
| # USAGE: | |
| # $okta-auth ### Returns current active profile | |
| # (if any), whether the token is expired, | |
| # and if the token is valid, for how much longer. | |
| # $okta-auth myprofile ### Sets the active profile, renews the token if | |
| # and prompts for creation of profiles not configured. | |
| # Set baseline variables for time, profile to be activated, and the credentials and profile file locations. | |
| cur_time=`gdate +%s` | |
| profiles="$HOME/.okta/profiles" | |
| credentials="$HOME/.aws/credentials" | |
| # Check for command-line arguments, if none echo current active profile and token validity. | |
| if [ $# -eq 0 ]; then | |
| if [ -z "${ACTIVE_PROFILE}" ]; then | |
| echo -e "No active profile set. Run okta-auth with a profile name to set it. Example:\n\e[1;33mokta-auth myprofile\e[0m" | |
| return | |
| else | |
| expiry=`grep -A 4 "source_profile = ${ACTIVE_PROFILE}" $profiles | grep "profile_expiry"` | |
| awk_profile=`echo ${expiry} | awk '{ print $3 }'` | |
| profile_expiry=`gdate +%s -d"${awk_profile}"` | |
| if [[ "${profile_expiry}" > "${cur_time}" ]]; then | |
| echo -e "\e[1;33m########################################\n## AWS OKTA Profile Set To: "${ACTIVE_PROFILE}"\n## Profile Expires In: $(( ${profile_expiry} - ${cur_time} / 60)) minutes.\n########################################\e[0m" | |
| return | |
| else | |
| echo -e "The current profile is set to \e[1;33mHodes\e[0m but the token has expired. To renew it, run:\n\e[1;33mokta-auth "${ACTIVE_PROFILE}"\e[0m" | |
| return | |
| fi | |
| fi | |
| fi | |
| # Set ACTIVE_PROFILE value if argument passed. | |
| ACTIVE_PROFILE=$1 | |
| # Check to see if the credentials and profiles files exist. | |
| if [[ ! -r "${credentials}" ]]; then | |
| echo "File not found: '${credentials}'" | |
| exit 3 | |
| fi | |
| if [[ ! -r "${profiles}" ]]; then | |
| echo "File not found: '${profiles}'" | |
| exit 3 | |
| fi | |
| # Check to see if the profile has been used, if not prompt to create or correct the Profile name. | |
| if ! cat "${profiles}" | grep -Fxq "[${ACTIVE_PROFILE}]"; then | |
| echo -e "Profile \033[1m"${ACTIVE_PROFILE}"\033[0m not found, do you want to (c)reate it, (r)e-enter it, or e(x)it?" | |
| read yno | |
| case $yno in | |
| [cC]) | |
| withokta "aws --profile "${ACTIVE_PROFILE}" sts get-caller-identity" | |
| ;; | |
| [rR]) | |
| echo -n "What should the profile name be? " | |
| read ACTIVE_PROFILE | |
| . "$0" "${ACTIVE_PROFILE}" | |
| return | |
| ;; | |
| [xX]) | |
| echo "Ok, goodbye." | |
| return 1 | |
| ;; | |
| *) echo "Invalid input" | |
| ;; | |
| esac | |
| fi | |
| # Get the profile expiration time and see if it is still valid, if not, renew it. | |
| expiry=`grep -A 4 "source_profile = ${ACTIVE_PROFILE}" $profiles | grep "profile_expiry" | awk '{ print $3 }'` | |
| profile_expiry=`gdate +%s -d"${expiry}"` | |
| if [[ "${profile_expiry}" > "${cur_time}" ]]; then | |
| echo "The current profile is still valid for another $(( ${profile_expiry} - ${cur_time} / 60)) minutes." | |
| else | |
| echo "The curent profile is expired. Let's fix that." | |
| withokta "aws --profile "${ACTIVE_PROFILE}" sts get-caller-identity" | |
| fi | |
| # Get the credential values from the aws credentials file and export them. | |
| export AWS_ACCESS_KEY_ID=`grep -A 4 "${ACTIVE_PROFILE}" $credentials | grep "aws_access_key_id" | awk '{ print $3 }'` | |
| export AWS_SECRET_ACCESS_KEY=`grep -A 4 "${ACTIVE_PROFILE}" $credentials | grep "aws_secret_access_key" | awk '{ print $3 }'` | |
| export AWS_DEFAULT_REGION=`grep -A 4 "${ACTIVE_PROFILE}" $credentials | grep "region" | awk '{ print $3 }'` | |
| export AWS_SESSION_TOKEN=`grep -A 4 "${ACTIVE_PROFILE}" $credentials | grep "aws_session_token" | awk '{ print $3 }'` | |
| # Clear script variables from environment. | |
| for evars in "cur_time" "profiles" "credentials" "ACTIVE_PROFILE" "expiry" "awk_profile" "profile_expiry"; do unset $evars; done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment