limed · February 15, 2019 02:03
diff --git a/create-role-user b/create-role-user
 #!/usr/bin/env bash

 set -o errexit
 set -o pipefail

 USERNAME=$1
 ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)

 errexit() {
    echo "$1"
    exit 1
 }

 if [ -z "${USERNAME}" ]; then
    errexit "Usage: $0 <IAM Username>"
 fi


 if [ -z "${ACCOUNT_ID}" ]; then
    errexit "Account ID is not set"
 fi

 # I created an assume role policy and ran jq '.|tostring' assume-role.json
 ASSUME_ROLE_POLICY="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::${ACCOUNT_ID}:user/${USERNAME}\"},\"Action\":\"sts:AssumeRole\"}]}"

 ## TODO: enforce mfa
 STS_ASSUME="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Resource\":[\"arn:aws:iam::${ACCOUNT_ID}:role/\${aws:username}\"]}]}"

 echo "Checking if IAM user exists"
 aws iam get-user --user-name "${USERNAME}" || errexit "User ${USERNAME} does not exists"

 echo "Checking if role exists"
 #aws iam get-role --role-name "${USERNAME}"
 ROLE_NAME=$(aws iam list-roles --query "Roles[?RoleName == '${USERNAME}']" --output text)

 if [ -z "${ROLE_NAME}" ]; then
    echo "Creating role ${USERNAME}"
    aws iam create-role --role-name "${USERNAME}" --assume-role-policy-document "${ASSUME_ROLE_POLICY}"

    # Sometimes IAM takes a while
    sleep 2

    echo "Attaching AdministratorAccess role to role ${USERNAME}"
    aws iam attach-role-policy --role-name "${USERNAME}" --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
 fi

 echo "Allow user ${USERNAME} to assume role"
 aws iam put-user-policy --user-name "${USERNAME}" --policy-document "${STS_ASSUME}" --policy-name "sts-allow"
	#!/usr/bin/env bash

	set -o errexit
	set -o pipefail

	USERNAME=$1
	ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)

	errexit() {
	echo "$1"
	exit 1
	}

	if [ -z "${USERNAME}" ]; then
	errexit "Usage: $0 <IAM Username>"
	fi


	if [ -z "${ACCOUNT_ID}" ]; then
	errexit "Account ID is not set"
	fi

	# I created an assume role policy and ran jq '.\|tostring' assume-role.json
	ASSUME_ROLE_POLICY="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::${ACCOUNT_ID}:user/${USERNAME}\"},\"Action\":\"sts:AssumeRole\"}]}"

	## TODO: enforce mfa
	STS_ASSUME="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Resource\":[\"arn:aws:iam::${ACCOUNT_ID}:role/\${aws:username}\"]}]}"

	echo "Checking if IAM user exists"
	aws iam get-user --user-name "${USERNAME}" \|\| errexit "User ${USERNAME} does not exists"

	echo "Checking if role exists"
	#aws iam get-role --role-name "${USERNAME}"
	ROLE_NAME=$(aws iam list-roles --query "Roles[?RoleName == '${USERNAME}']" --output text)

	if [ -z "${ROLE_NAME}" ]; then
	echo "Creating role ${USERNAME}"
	aws iam create-role --role-name "${USERNAME}" --assume-role-policy-document "${ASSUME_ROLE_POLICY}"

	# Sometimes IAM takes a while
	sleep 2

	echo "Attaching AdministratorAccess role to role ${USERNAME}"
	aws iam attach-role-policy --role-name "${USERNAME}" --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
	fi

	echo "Allow user ${USERNAME} to assume role"
	aws iam put-user-policy --user-name "${USERNAME}" --policy-document "${STS_ASSUME}" --policy-name "sts-allow"