Git
/
mgeeky-Penetration-Testing-Tools
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated get-session-creds-in-config-format.sh script

This commit is contained in:
Mariusz B 2020-06-19 14:14:57 +02:00 committed by GitHub
parent 77ad1d19dd
commit d603095811
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
clouds/aws/get-session-creds-in-config-format.sh
View File

@ -3,7 +3,7 @@
# This script simply calls `aws sts assume-role` using hardcoded parameters, in order # This script simply calls `aws sts assume-role` using hardcoded parameters, in order
# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format. # to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
# #
# Mariusz B., mgeeky '19 # Mariusz B., mgeeky '19-20
# #
@ -14,9 +14,11 @@
# This profile name must be different among any other profiles oyu have defined in your # This profile name must be different among any other profiles oyu have defined in your
# config and credentials file. # config and credentials file.
PROFILE_NAME=your-profile-name PROFILE_NAME=
ROLE_NAME=Your_Role_Name ROLE_NAME=
ROLE_ARN=arn:aws:iam::<NUMBER>:role/$ROLE_NAME
# If left empty, will be deduced from `aws sts get-caller-identity` output.
ACCOUNT_NUMBER=
# If you leave this field empty - it will be deduced from `aws sts get-caller-identity` output # If you leave this field empty - it will be deduced from `aws sts get-caller-identity` output
#SERIAL_MFA=arn:aws:iam::<NUMBER>:mfa/<USER-NAME> #SERIAL_MFA=arn:aws:iam::<NUMBER>:mfa/<USER-NAME>
@ -32,41 +34,56 @@ DURATION=42000
# Some times assume-role may return with an Access-Denied if there were no account authenticated # Some times assume-role may return with an Access-Denied if there were no account authenticated
# regular commands sent first. # regular commands sent first.
out=$(aws sts get-caller-identity) out=$(aws --profile $PROFILE_NAME sts get-caller-identity)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "[!] Could not get caller's identity: " echo "[!] Could not get caller's identity: "
echo "$out" echo "$out"
exit 1 exit 1
fi fi
if [[ "$SERIAL_MFA" = "" ]]; then if [[ "$SERIAL_MFA" = "" ]]; then
SERIAL_MFA=$(echo "$out" | python -c "import sys,json; foo=json.loads(sys.stdin.read()); print('arn:aws:iam::{}:mfa/{}'.format(foo['Account'], foo['Arn'].split('/')[1]))" ) SERIAL_MFA=$(echo "$out" | python3 -c "import sys,json; foo=json.loads(sys.stdin.read()); print('arn:aws:iam::{}:mfa/{}'.format(foo['Account'], foo['Arn'].split('/')[1]))" )
fi fi
read -p "Type your AWS MFA Code: " code if [[ "$ACCOUNT_NUMBER" = "" ]]; then
ACCOUNT_NUMBER=$(echo "$out" | python3 -c "import sys,json; foo=json.loads(sys.stdin.read()); print(foo['Account'])" )
fi
ROLE_ARN=arn:aws:iam::$ACCOUNT_NUMBER:role/$ROLE_NAME
echo "[.] Using Role ARN: $ROLE_ARN"
read -p "Type your AWS MFA Code (leave empty if not needed): " code
echo echo
out=$(aws sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1) if [[ "$code" = "" ]] || [[ "$SERIAL_MFA" == "" ]]; then
echo "[.] MFA not provided, will attempt to assume role without it."
out=$(aws --profile $PROFILE_NAME sts assume-role --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION 2>&1)
else
echo "[.] Will attempt to assume role with MFA provided."
out=$(aws --profile $PROFILE_NAME sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code 2>&1)
fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60))) valid=$(printf '%dh:%dm:%ds\n' $(($DURATION/3600)) $(($DURATION%3600/60)) $(($DURATION%60)))
echo "[+] Collected session credentials. They will be valid for: $valid. " echo "[+] Collected session credentials. They will be valid for: $valid. "
echo -e "\tPaste below lines to your '~/.aws/credentials' file:" echo -e "\tPaste below lines to your '~/.aws/credentials' file:"
echo echo
echo "[$PROFILE_NAME]" echo "[$PROFILE_NAME]"
echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))' echo "$out" | python33 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
echo echo
else else
echo "[!] Could not obtain assume-role session credentials:" echo "[!] Could not obtain assume-role session credentials:"
echo "$out" echo "$out"
echo echo
out2=$(env | grep -E 'AWS_[^=]+') out2=$(env | grep -E 'AWS_[^=]+')
if [[ "$out2" != "" ]]; then if [[ "$out2" != "" ]]; then
echo "[!] Your command could fail because of pre-set AWS-related environment variables." echo "[!] Your command could fail because of pre-set AWS-related environment variables."
echo -e "\tPlease review them, correct any problems and re-launch that script." echo -e "\tPlease review them, correct any problems and re-launch that script."
echo echo
echo "$out2" echo "$out2"
echo echo
fi fi
exit 1 exit 1
fi fi