-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaws-cli-mfa.py
More file actions
executable file
·194 lines (163 loc) · 7.6 KB
/
aws-cli-mfa.py
File metadata and controls
executable file
·194 lines (163 loc) · 7.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/usr/bin/env python3
"""
A tool to quickly get and set your MFA token, to make using the CLI easier.
"""
__author__ = "Bruno Cacheira"
__version__ = "0.3.0"
__license__ = "MIT"
__maintainer__ = "Bruno Cacheira"
__status__ = "Prototype"
import os
import json
import argparse
import subprocess
import configparser
import sys
# If logzero is available, use it, else, go standard
try:
import logzero
from logzero import logger
except ImportError:
# If logzero is not available, we use standard logging
import logging as logger
logger.basicConfig(filename='aws-cli-mfa.log',
filemode='w',
format='[%(asctime)s] : %(levelname)s : %(message)s',
#level=logger.DEBUG
)
else:
# We configure logzero
# Set a logfile (all future log messages are also saved there), but disable the default stderr logging
logzero.logfile("aws-cli-mfa.log", disableStderrLogger=True)
CREDS_FILE = os.path.expanduser('~/.aws/credentials')
CONFIG_FILE = os.path.expanduser('~/.aws/config')
SESSION_DURATION = '43200' # The console default is 12 hours - https://aws.amazon.com/console/faqs/#session_expire
def trimProfileName(profile):
# in case you have a section [profile name]
if len(profile.split()) == 2:
return profile.split()[1]
### end
def getDefaultProfile( awsConfig ):
# It the ENV is set, it takes percedence
default = os.getenv('AWS_DEFAULT_PROFILE')
# If it's an *_mfa profile, trim it
# I could use split but...
if default != None and default[-4:] == "_mfa":
default = default[:-4]
if default:
logger.debug("Profile found in env(AWS_DEFAULT_PROFILE): " + default)
return default
# If not, let's see if there is a profile named "default"
if awsConfig.has_section("default"):
return "default"
# else, let's use the first option in the config file
if awsConfig.sections() == []:
logger.warning('"~/aws/config" is empty or misformatted')
return None
default = trimProfileName( awsConfig.sections()[0] )
logger.debug('Profile found in "~/aws/config": ' + default)
return( default )
### end
def getMfaArn( awsConfig, profile ):
print ("")
# to be implemented, replacing the profile concat hack
### end
def main():
# First, let's make sure we have a config file
if not os.path.exists(os.path.expanduser('~/.aws/config')):
logger.error('You need to define an AWS CLI config file in "~/.aws/config" first')
sys.exit(1)
# Let's read the config - we could read credentials, but config always exists and has mfa arn
awsConfig = configparser.ConfigParser()
awsConfig.read( os.path.expanduser('~/.aws/config') )
parser = argparse.ArgumentParser(description='Update your AWS CLI Token')
parser.add_argument('token',
help='token from your MFA device'
)
parser.add_argument('--profile',
help='AWS profile to store the session token.\
If unset, ENV(AWS_PROFILE) or first profile in "~/.aws/config" will be used.',
default = getDefaultProfile( awsConfig )
)
parser.add_argument('--arn',
help='AWS ARN from the IAM console (Security credentials -> Assigned MFA device).\
This is saved to your .aws/credentials file'
)
parser.add_argument('--credential-path',
help='path to the aws credentials file',
default=os.path.expanduser('~/.aws/credentials')
)
parser.add_argument('--duration',
help='The duration, in seconds, that the credentials should remain valid.',
default = SESSION_DURATION
)
args = parser.parse_args()
logger.info('Using profile "' + args.profile + '"')
# we'll simplify for now
if awsConfig.has_option( "profile " + args.profile , "mfa_serial" ):
configArn = awsConfig.get( "profile " + args.profile , "mfa_serial")
elif awsConfig.has_option( args.profile , "mfa_serial" ):
configArn = awsConfig.get( args.profile , "mfa_serial")
else:
configArn = None
if args.profile is None:
parser.error('Expecting --profile or profile set in environment AWS_DEFAULT_PROFILE, or in config file. e.g. "stage"')
logger.error('Expecting --profile or profile set in environment AWS__DEFAULT_PROFILE, or in config file. e.g. "stage"')
if args.profile not in awsConfig.sections():
if "profile " + args.profile not in awsConfig.sections():
parser.error('Invalid profile. Section not found in "~/.aws/config"')
logger.error('Invalid profile. Section not found in "~/.aws/config"')
# If the ARN is provided or in the config...
if args.arn is None:
if configArn is None:
parser.error('ARN is not provided. Please specify via --arn')
logger.error('ARN is not provided. Please specify via --arn')
else:
args.arn = configArn
"""
# should we write down the provided arn?
if args.arn is None:
if 'aws_arn_mfa' not in config[args.profile]:
parser.error('ARN is not provided. Specify via --arn')
args.arn = config[args.profile]['aws_arn_mfa']
else:
# Update the arn with user supplied one
config[args.profile]['aws_arn_mfa'] = args.arn
"""
# Now let's look at the credentials file
awsCreds = configparser.ConfigParser()
# file path should come from somewhere else
awsCreds.read( os.path.expanduser('~/.aws/credentials') )
# Generate the session token from the default profile based on the environment. We do not want to overwrite these profiles as we wouldn't
# be able to generate another token
logger.info( 'executing: ' +
'aws sts get-session-token --profile %s --duration-seconds %s --serial-number %s --token-code %s',
args.profile, args.duration, args.arn, args.token)
result = subprocess.run(['aws', 'sts', 'get-session-token',
'--profile', args.profile,
'--duration-seconds', args.duration,
'--serial-number', args.arn, '--token-code',
args.token], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if result.returncode != 0:
logger.error( result.stderr.decode('utf-8').strip('\n') )
parser.error( result.stderr.decode('utf-8').strip('\n') )
logger.debug( 'Got response: ' + result.stdout.decode('utf-8').strip('\n') )
credentials = json.loads(result.stdout.decode('utf-8'))['Credentials']
profileMFA = args.profile + "_mfa"
# Lets eliminate old creds
awsCreds.remove_section( profileMFA )
# and set the new ones
awsCreds.add_section( profileMFA )
awsCreds[profileMFA]['aws_access_key_id'] = credentials['AccessKeyId']
awsCreds[profileMFA]['aws_secret_access_key'] = credentials['SecretAccessKey']
awsCreds[profileMFA]['aws_session_token'] = credentials['SessionToken']
# Save the changes back to the file
with open(CREDS_FILE, 'w') as configFile:
awsCreds.write(configFile)
print ("Credentials file set and valid until {}. If you want to use this profile, please use \
\n\n \t\033[1m export AWS_DEFAULT_PROFILE={} \033[0m\n".format(
credentials['Expiration'],
profileMFA ))
logger.info("Credentials file set and valid until " + credentials['Expiration'] )
if __name__== "__main__":
main()