Skip to content
Snippets Groups Projects
Select Git revision
  • 38e44dd60b2d9d1214373bba9721a7c15e50f263
  • master default
2 results

assume-role

Blame
    • nimrod's avatar
      311567fa
      AWS assume-role script. · 311567fa
      nimrod authored 
      To run commands with a different IAM user/ role. No other configuration
needed (unlike aws-vault, not to pick on them, it's actually quite
nice). Also, an AWS CLI alias.
      311567fa
      History
      AWS assume-role script.
      nimrod authored 
      To run commands with a different IAM user/ role. No other configuration
needed (unlike aws-vault, not to pick on them, it's actually quite
nice). Also, an AWS CLI alias.
    assume-role 977 B
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40 
    

    

    

    #!/bin/sh
set -eu

# This script runs the AWS assume-role command, captures the output, sets the
# environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and
# AWS_SESSION_TOKEN) and executes the command given.

usage() {
    echo "$(basename "$0"): [-h|--help] ROLE_ARN COMMAND [PARAMETER [PARAMETER ...]]"
}

command -v aws > /dev/null || { echo 'Cannot find the AWS CLI, exiting.' >&2; exit 1; }

if [ "$#" -lt 2 ]
then
    usage
    exit 1
fi

role_arn="$1"
shift

credentials="$(aws sts assume-role \
    --output text \
    --duration-seconds 3600 \
    --role-arn "$role_arn" \
    --role-session-name 'CircleCI_executor')"

AWS_ACCESS_KEY_ID="$(echo "$credentials" | awk 'NR == 2 {print $2}')"
AWS_SECRET_ACCESS_KEY="$(echo "$credentials" | awk 'NR == 2 {print $4}')"
AWS_SESSION_TOKEN="$(echo "$credentials" | awk 'NR == 2 {print $5}')"

export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

unset AWS_SECURITY_TOKEN

eval exec "$@"