discorev · June 26, 2023 10:12
diff --git a/mfa.sh b/mfa.sh
 #!/bin/bash

 POSITIONAL=()
 while [[ $# -gt 0 ]]
 do
 key="$1"

 case $key in
    -p|--profile)
    AWS_PROFILE="$2"
    shift # past argument
    shift # past value
    ;;
    -c|--code)
    MFA_CODE="$2"
    shift # past argument
    shift # past value
    ;;
    *)    # unknown option
    POSITIONAL+=("$1") # save it in an array for later
    shift # past argument
    ;;
 esac
 done
 set -- "${POSITIONAL[@]}" # restore positional parameters

 if [ -z "$AWS_PROFILE" ]; then
    AWS_PROFILE="default"
 fi

 MFA_PROFILE=${AWS_PROFILE}-mfa
 if [ $AWS_PROFILE = "default" ]; then
    MFA_PROFILE=mfa
 fi

 AWS_USER=$(aws iam get-user | jq -r '.User.UserName')
 AWS_MFA_DEVICE_LIST=$(aws iam list-mfa-devices --profile ${AWS_PROFILE} --query 'MFADevices[*].SerialNumber' | jq -r '[.[] | select(contains("mfa"))]')

 YUBI_DEVICE=`ykman list --serials`
 APPLICATION=oath

 # Check for the YubiKey first so that we can fall back to standard MFA if it's not registered for this account
 if [ -n "$YUBI_DEVICE" ]; then
    # Select the MFA serial for the currently connected yubikey
    MFA_SERIAL_SUFFIX=":mfa/yubikey/${APPLICATION}/${YUBI_DEVICE}"
    mfa_device_serial=$(echo $AWS_MFA_DEVICE_LIST | jq -r ".[] | select(endswith(\"${MFA_SERIAL_SUFFIX}\"))")

    if [ -n "$mfa_device_serial" ]; then
        if [ -z "$MFA_CODE" ]; then
            MFA_CODE=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $mfa_device_serial)
            MFA_CODE=${MFA_CODE:(-6)}
        fi
    else
        # The device is not registered with this account - fall back to standard MFA
        YUBI_DEVICE=""
    fi
 fi

 if [ -z "$YUBI_DEVICE" ]; then 
    # Get the non-yubikey MFA device (if present)
    mfa_device_serial=$(echo $AWS_MFA_DEVICE_LIST | jq -r '.[] | select(contains("yubikey") | not)')
    if [ -z "$mfa_device_serial" ]; then
        echo "Failed to find virtual MFA device"
        exit 1
    fi

    # Read an MFA code from the user
    if [ -z "$MFA_CODE" ]; then
        read -p 'MFA code: ' MFA_CODE
    fi
 fi

 mfa_response_json=`aws sts get-session-token --serial-number ${mfa_device_serial} --token-code ${MFA_CODE} --profile ${AWS_PROFILE}`
 if [ $? -eq 0 ]; then
    MFA_ACCESS_KEY=`echo $mfa_response_json | jq -r .Credentials.AccessKeyId`
    MFA_SECRET_KEY=`echo $mfa_response_json | jq -r .Credentials.SecretAccessKey`
    MFA_SESSION_TOKEN=`echo $mfa_response_json | jq -r .Credentials.SessionToken`
    aws configure set aws_access_key_id $MFA_ACCESS_KEY --profile ${MFA_PROFILE}
    aws configure set aws_secret_access_key $MFA_SECRET_KEY --profile ${MFA_PROFILE}
    aws configure set aws_session_token $MFA_SESSION_TOKEN --profile ${MFA_PROFILE}

    MFA_EXPIRES=`echo $mfa_response_json | jq .Credentials.Expiration`
    echo "MFA ACCESS KEY = ${MFA_ACCESS_KEY}"
    echo "MFA EXPIRES = ${MFA_EXPIRES}"
 fi
	#!/bin/bash

	POSITIONAL=()
	while [[ $# -gt 0 ]]
	do
	key="$1"

	case $key in
	-p\|--profile)
	AWS_PROFILE="$2"
	shift # past argument
	shift # past value
	;;
	-c\|--code)
	MFA_CODE="$2"
	shift # past argument
	shift # past value
	;;
	*) # unknown option
	POSITIONAL+=("$1") # save it in an array for later
	shift # past argument
	;;
	esac
	done
	set -- "${POSITIONAL[@]}" # restore positional parameters

	if [ -z "$AWS_PROFILE" ]; then
	AWS_PROFILE="default"
	fi

	MFA_PROFILE=${AWS_PROFILE}-mfa
	if [ $AWS_PROFILE = "default" ]; then
	MFA_PROFILE=mfa
	fi

	AWS_USER=$(aws iam get-user \| jq -r '.User.UserName')
	AWS_MFA_DEVICE_LIST=$(aws iam list-mfa-devices --profile ${AWS_PROFILE} --query 'MFADevices[*].SerialNumber' \| jq -r '[.[] \| select(contains("mfa"))]')

	YUBI_DEVICE=`ykman list --serials`
	APPLICATION=oath

	# Check for the YubiKey first so that we can fall back to standard MFA if it's not registered for this account
	if [ -n "$YUBI_DEVICE" ]; then
	# Select the MFA serial for the currently connected yubikey
	MFA_SERIAL_SUFFIX=":mfa/yubikey/${APPLICATION}/${YUBI_DEVICE}"
	mfa_device_serial=$(echo $AWS_MFA_DEVICE_LIST \| jq -r ".[] \| select(endswith(\"${MFA_SERIAL_SUFFIX}\"))")

	if [ -n "$mfa_device_serial" ]; then
	if [ -z "$MFA_CODE" ]; then
	MFA_CODE=$(ykman --device $YUBI_DEVICE $APPLICATION accounts code $mfa_device_serial)
	MFA_CODE=${MFA_CODE:(-6)}
	fi
	else
	# The device is not registered with this account - fall back to standard MFA
	YUBI_DEVICE=""
	fi
	fi

	if [ -z "$YUBI_DEVICE" ]; then
	# Get the non-yubikey MFA device (if present)
	mfa_device_serial=$(echo $AWS_MFA_DEVICE_LIST \| jq -r '.[] \| select(contains("yubikey") \| not)')
	if [ -z "$mfa_device_serial" ]; then
	echo "Failed to find virtual MFA device"
	exit 1
	fi

	# Read an MFA code from the user
	if [ -z "$MFA_CODE" ]; then
	read -p 'MFA code: ' MFA_CODE
	fi
	fi

	mfa_response_json=`aws sts get-session-token --serial-number ${mfa_device_serial} --token-code ${MFA_CODE} --profile ${AWS_PROFILE}`
	if [ $? -eq 0 ]; then
	MFA_ACCESS_KEY=`echo $mfa_response_json \| jq -r .Credentials.AccessKeyId`
	MFA_SECRET_KEY=`echo $mfa_response_json \| jq -r .Credentials.SecretAccessKey`
	MFA_SESSION_TOKEN=`echo $mfa_response_json \| jq -r .Credentials.SessionToken`
	aws configure set aws_access_key_id $MFA_ACCESS_KEY --profile ${MFA_PROFILE}
	aws configure set aws_secret_access_key $MFA_SECRET_KEY --profile ${MFA_PROFILE}
	aws configure set aws_session_token $MFA_SESSION_TOKEN --profile ${MFA_PROFILE}

	MFA_EXPIRES=`echo $mfa_response_json \| jq .Credentials.Expiration`
	echo "MFA ACCESS KEY = ${MFA_ACCESS_KEY}"
	echo "MFA EXPIRES = ${MFA_EXPIRES}"
	fi