mgeeky-Penetration-Testing-.../clouds/aws/assume-role-helper.sh

109 lines
3.5 KiB
Bash
Raw Normal View History

#!/bin/bash
#
# This script simply calls `aws sts assume-role` using hardcoded parameters, in order
# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
#
2022-04-29 11:29:41 +02:00
# Mariusz B., mgeeky '19-20
#
#
# --------------------------
# Configure below variables.
#
2020-06-19 14:31:53 +02:00
# Below two values are REQUIRED
2022-04-29 11:29:41 +02:00
PROFILE_NAME=default
ROLE_NAME=
2022-04-29 11:29:41 +02:00
# Printed output role name
OUTPUT_ROLE_NAME=
# If left empty, will be deduced from `aws sts get-caller-identity` output.
ACCOUNT_NUMBER=
2020-06-19 14:31:53 +02:00
# If left empty, will use ROLE_NAME
SESSION_NAME=
# If you leave this field empty - it will be deduced from `aws sts get-caller-identity` output
#SERIAL_MFA=arn:aws:iam::<NUMBER>:mfa/<USER-NAME>
SERIAL_MFA=
# Duration in seconds. Values possible range: 900-43200
# 1 hour - 3600, 2 hours - 7200, 3 hours - 10800, 6 hours - 21600, 12 hours - 43200
2020-06-19 14:23:11 +02:00
DURATION=3600
#
# --------------------------
#
# Some times assume-role may return with an Access-Denied if there were no account authenticated
# regular commands sent first.
out=$(aws --profile $PROFILE_NAME sts get-caller-identity)
if [ $? -ne 0 ]; then
2022-04-29 11:29:41 +02:00
>&2 echo "[!] Could not get caller's identity: "
>&2 echo "$out"
exit 1
fi
if [[ "$SERIAL_MFA" = "" ]]; then
SERIAL_MFA=$(echo "$out" | python3 -c "import sys,json; foo=json.loads(sys.stdin.read()); print('arn:aws:iam::{}:mfa/{}'.format(foo['Account'], foo['Arn'].split('/')[1]))" )
fi
if [[ "$ACCOUNT_NUMBER" = "" ]]; then
ACCOUNT_NUMBER=$(echo "$out" | python3 -c "import sys,json; foo=json.loads(sys.stdin.read()); print(foo['Account'])" )
fi
2020-06-19 14:31:53 +02:00
if [[ "$SESSION_NAME" = "" ]]; then
SESSION_NAME=$ROLE_NAME
fi
ROLE_ARN=arn:aws:iam::$ACCOUNT_NUMBER:role/$ROLE_NAME
2022-04-29 11:29:41 +02:00
>&2 echo "[.] Using Role ARN: $ROLE_ARN"
2022-04-29 11:29:41 +02:00
code=""
if [[ "$code" = "" ]] || [[ "$SERIAL_MFA" == "" ]]; then
2022-04-29 11:29:41 +02:00
>&2 echo "[.] MFA not provided, will attempt to assume role without it."
2020-06-19 14:31:53 +02:00
out=$(aws --profile $PROFILE_NAME sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --duration-seconds $DURATION 2>&1)
else
2022-04-29 11:29:41 +02:00
>&2 echo "[.] Will attempt to assume role with MFA provided."
out=$(aws --profile $PROFILE_NAME sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1)
fi
2023-03-07 14:14:37 +01:00
if echo "$out" | grep -q -i 'error occurred' ; then
echo -e "[!] Assume role failed:\n"
echo "$out"
exit 1
fi
2022-04-29 11:29:41 +02:00
rolename=$PROFILE_NAME-$SESSION_NAME
if [[ "$OUTPUT_ROLE_NAME" != "" ]]; then
rolename=$OUTPUT_ROLE_NAME
fi
if [ $? -eq 0 ]; then
valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60)))
2022-04-29 11:29:41 +02:00
>&2 echo "[+] Collected session credentials. They will be valid for: $valid. "
>&2 echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
echo
2022-04-29 11:29:41 +02:00
echo "[$rolename]"
2020-06-19 14:23:11 +02:00
echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
2022-04-29 11:29:41 +02:00
>&2 echo
else
2022-04-29 11:29:41 +02:00
>&2 echo "[!] Could not obtain assume-role session credentials:"
>&2 echo "$out"
>&2 echo
out2=$(env | grep -E 'AWS_[^=]+')
if [[ "$out2" != "" ]]; then
2022-04-29 11:29:41 +02:00
>&2 echo "[!] Your command could fail because of pre-set AWS-related environment variables."
>&2 echo -e "\tPlease review them, correct any problems and re-launch that script."
>&2 echo
>&2 echo "$out2"
>&2 echo
fi
exit 1
2022-04-29 11:29:41 +02:00
fi