Unverified Commit 23f9348e authored by Sergei Shvetsov's avatar Sergei Shvetsov Committed by GitHub
Browse files

fix(aws): allow for profile switch w/o MFA configured (#9924)

parent e4f6f169
...@@ -62,47 +62,47 @@ function acp() { ...@@ -62,47 +62,47 @@ function acp() {
read -r sess_duration read -r sess_duration
fi fi
mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}") mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}")
fi
# Now see whether we need to just MFA for the current role, or assume a different one # Now see whether we need to just MFA for the current role, or assume a different one
local role_arn="$(aws configure get role_arn --profile $profile)" local role_arn="$(aws configure get role_arn --profile $profile)"
local sess_name="$(aws configure get role_session_name --profile $profile)" local sess_name="$(aws configure get role_session_name --profile $profile)"
if [[ -n "$role_arn" ]]; then
# Means we need to assume a specified role
aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}")
# Check whether external_id is configured to use while assuming the role if [[ -n "$role_arn" ]]; then
local external_id="$(aws configure get external_id --profile $profile)" # Means we need to assume a specified role
if [[ -n "$external_id" ]]; then aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}")
aws_command+=(--external-id "$external_id")
fi
# Get source profile to use to assume role # Check whether external_id is configured to use while assuming the role
local source_profile="$(aws configure get source_profile --profile $profile)" local external_id="$(aws configure get external_id --profile $profile)"
if [[ -z "$sess_name" ]]; then if [[ -n "$external_id" ]]; then
sess_name="${source_profile:-profile}" aws_command+=(--external-id "$external_id")
fi fi
aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}")
echo "Assuming role $role_arn using profile ${source_profile:-profile}" # Get source profile to use to assume role
else local source_profile="$(aws configure get source_profile --profile $profile)"
# Means we only need to do MFA if [[ -z "$sess_name" ]]; then
aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}") sess_name="${source_profile:-profile}"
echo "Obtaining session token for profile $profile"
fi fi
aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}")
# Format output of aws command for easier processing echo "Assuming role $role_arn using profile ${source_profile:-profile}"
aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text) else
# Means we only need to do MFA
aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}")
echo "Obtaining session token for profile $profile"
fi
# Run the aws command to obtain credentials # Format output of aws command for easier processing
local -a credentials aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text)
credentials=(${(ps:\t:)"$(${aws_command[@]})"})
if [[ -n "$credentials" ]]; then # Run the aws command to obtain credentials
aws_access_key_id="${credentials[1]}" local -a credentials
aws_secret_access_key="${credentials[2]}" credentials=(${(ps:\t:)"$(${aws_command[@]})"})
aws_session_token="${credentials[3]}"
fi if [[ -n "$credentials" ]]; then
aws_access_key_id="${credentials[1]}"
aws_secret_access_key="${credentials[2]}"
aws_session_token="${credentials[3]}"
fi fi
# Switch to AWS profile # Switch to AWS profile
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment