Updated assume-role-helper.sh

clouds/aws/assume-role-helper.sh

@@ -3,7 +3,7 @@
 # This script simply calls `aws sts assume-role` using hardcoded parameters, in order
 # to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
 #
-# Mariusz Banach, mgeeky '19-20
+# Mariusz B., mgeeky '19-20
 #
 
 
@@ -13,9 +13,12 @@
 #
 
 # Below two values are REQUIRED
-PROFILE_NAME=
+PROFILE_NAME=default
 ROLE_NAME=
 
+# Printed output role name
+OUTPUT_ROLE_NAME=
+
 # If left empty, will be deduced from `aws sts get-caller-identity` output.
 ACCOUNT_NUMBER=
 
@@ -38,8 +41,8 @@ DURATION=3600
 # regular commands sent first.
 out=$(aws --profile $PROFILE_NAME sts get-caller-identity)
 if [ $? -ne 0 ]; then
-    echo "[!] Could not get caller's identity: "
-    echo "$out"
+    >&2 echo "[!] Could not get caller's identity: "
+    >&2 echo "$out"
     exit 1
 fi
 
@@ -57,38 +60,43 @@ fi
 
 ROLE_ARN=arn:aws:iam::$ACCOUNT_NUMBER:role/$ROLE_NAME
 
-echo "[.] Using Role ARN: $ROLE_ARN"
+>&2 echo "[.] Using Role ARN: $ROLE_ARN"
 
-read -p "Type your AWS MFA Code (leave empty if not needed): " code
-echo
+code=""
 
 if [[ "$code" = "" ]] || [[ "$SERIAL_MFA" == "" ]]; then
-    echo "[.] MFA not provided, will attempt to assume role without it."
+    >&2 echo "[.] MFA not provided, will attempt to assume role without it."
     out=$(aws --profile $PROFILE_NAME sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --duration-seconds $DURATION 2>&1)
 else
-    echo "[.] Will attempt to assume role with MFA provided."
+    >&2 echo "[.] Will attempt to assume role with MFA provided."
     out=$(aws --profile $PROFILE_NAME sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1)
 fi
 
+rolename=$PROFILE_NAME-$SESSION_NAME
+
+if [[ "$OUTPUT_ROLE_NAME" != "" ]]; then
+    rolename=$OUTPUT_ROLE_NAME
+fi
+
 if [ $? -eq 0 ]; then
     valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60)))
-    echo "[+] Collected session credentials. They will be valid for: $valid. "
-    echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
+    >&2 echo "[+] Collected session credentials. They will be valid for: $valid. "
+    >&2 echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
     echo
-    echo "[$PROFILE_NAME-$SESSION_NAME]"
+    echo "[$rolename]"
     echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
-    echo
+    >&2 echo
 else
-    echo "[!] Could not obtain assume-role session credentials:"
-    echo "$out"
-    echo
+    >&2 echo "[!] Could not obtain assume-role session credentials:"
+    >&2 echo "$out"
+    >&2 echo
     out2=$(env | grep -E 'AWS_[^=]+')
     if [[ "$out2" != "" ]]; then
-        echo "[!] Your command could fail because of pre-set AWS-related environment variables."
-        echo -e "\tPlease review them, correct any problems and re-launch that script."
-        echo
-        echo "$out2"
-        echo
+        >&2 echo "[!] Your command could fail because of pre-set AWS-related environment variables."
+        >&2 echo -e "\tPlease review them, correct any problems and re-launch that script."
+        >&2 echo
+        >&2 echo "$out2"
+        >&2 echo
     fi
     exit 1
-fi
+fi