mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Updated assume-role-helper.sh
This commit is contained in:
parent
df51088361
commit
3af8c488b9
@ -3,7 +3,7 @@
|
|||||||
# This script simply calls `aws sts assume-role` using hardcoded parameters, in order
|
# This script simply calls `aws sts assume-role` using hardcoded parameters, in order
|
||||||
# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
|
# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
|
||||||
#
|
#
|
||||||
# Mariusz Banach, mgeeky '19-20
|
# Mariusz B., mgeeky '19-20
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
@ -13,9 +13,12 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Below two values are REQUIRED
|
# Below two values are REQUIRED
|
||||||
PROFILE_NAME=
|
PROFILE_NAME=default
|
||||||
ROLE_NAME=
|
ROLE_NAME=
|
||||||
|
|
||||||
|
# Printed output role name
|
||||||
|
OUTPUT_ROLE_NAME=
|
||||||
|
|
||||||
# If left empty, will be deduced from `aws sts get-caller-identity` output.
|
# If left empty, will be deduced from `aws sts get-caller-identity` output.
|
||||||
ACCOUNT_NUMBER=
|
ACCOUNT_NUMBER=
|
||||||
|
|
||||||
@ -38,8 +41,8 @@ DURATION=3600
|
|||||||
# regular commands sent first.
|
# regular commands sent first.
|
||||||
out=$(aws --profile $PROFILE_NAME sts get-caller-identity)
|
out=$(aws --profile $PROFILE_NAME sts get-caller-identity)
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "[!] Could not get caller's identity: "
|
>&2 echo "[!] Could not get caller's identity: "
|
||||||
echo "$out"
|
>&2 echo "$out"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -57,38 +60,43 @@ fi
|
|||||||
|
|
||||||
ROLE_ARN=arn:aws:iam::$ACCOUNT_NUMBER:role/$ROLE_NAME
|
ROLE_ARN=arn:aws:iam::$ACCOUNT_NUMBER:role/$ROLE_NAME
|
||||||
|
|
||||||
echo "[.] Using Role ARN: $ROLE_ARN"
|
>&2 echo "[.] Using Role ARN: $ROLE_ARN"
|
||||||
|
|
||||||
read -p "Type your AWS MFA Code (leave empty if not needed): " code
|
code=""
|
||||||
echo
|
|
||||||
|
|
||||||
if [[ "$code" = "" ]] || [[ "$SERIAL_MFA" == "" ]]; then
|
if [[ "$code" = "" ]] || [[ "$SERIAL_MFA" == "" ]]; then
|
||||||
echo "[.] MFA not provided, will attempt to assume role without it."
|
>&2 echo "[.] MFA not provided, will attempt to assume role without it."
|
||||||
out=$(aws --profile $PROFILE_NAME sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --duration-seconds $DURATION 2>&1)
|
out=$(aws --profile $PROFILE_NAME sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --duration-seconds $DURATION 2>&1)
|
||||||
else
|
else
|
||||||
echo "[.] Will attempt to assume role with MFA provided."
|
>&2 echo "[.] Will attempt to assume role with MFA provided."
|
||||||
out=$(aws --profile $PROFILE_NAME sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1)
|
out=$(aws --profile $PROFILE_NAME sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
rolename=$PROFILE_NAME-$SESSION_NAME
|
||||||
|
|
||||||
|
if [[ "$OUTPUT_ROLE_NAME" != "" ]]; then
|
||||||
|
rolename=$OUTPUT_ROLE_NAME
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60)))
|
valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60)))
|
||||||
echo "[+] Collected session credentials. They will be valid for: $valid. "
|
>&2 echo "[+] Collected session credentials. They will be valid for: $valid. "
|
||||||
echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
|
>&2 echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
|
||||||
echo
|
echo
|
||||||
echo "[$PROFILE_NAME-$SESSION_NAME]"
|
echo "[$rolename]"
|
||||||
echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
|
echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
|
||||||
echo
|
>&2 echo
|
||||||
else
|
else
|
||||||
echo "[!] Could not obtain assume-role session credentials:"
|
>&2 echo "[!] Could not obtain assume-role session credentials:"
|
||||||
echo "$out"
|
>&2 echo "$out"
|
||||||
echo
|
>&2 echo
|
||||||
out2=$(env | grep -E 'AWS_[^=]+')
|
out2=$(env | grep -E 'AWS_[^=]+')
|
||||||
if [[ "$out2" != "" ]]; then
|
if [[ "$out2" != "" ]]; then
|
||||||
echo "[!] Your command could fail because of pre-set AWS-related environment variables."
|
>&2 echo "[!] Your command could fail because of pre-set AWS-related environment variables."
|
||||||
echo -e "\tPlease review them, correct any problems and re-launch that script."
|
>&2 echo -e "\tPlease review them, correct any problems and re-launch that script."
|
||||||
echo
|
>&2 echo
|
||||||
echo "$out2"
|
>&2 echo "$out2"
|
||||||
echo
|
>&2 echo
|
||||||
fi
|
fi
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user