AWS assume-role script.

To run commands with a different IAM user/ role. No other configuration needed (unlike aws-vault, not to pick on them, it's actually quite nice). Also, an AWS CLI alias.

AWS assume-role script.
311567fa · nimrod · 4d29fb45 · 311567fa · 311567fa
Commit 311567fa authored 3 years ago by nimrod
--- a/.aws/cli/alias
+++ b/.aws/cli/alias
@@ -11,3 +11,4 @@ metadata-region = !python3 << EOF
    EOF
 du = s3 ls --recursive --human-readable --summarize
 enable_ena = ec2 modify-instance-attribute --ena-support --instance-id
+assume-role = !assume-role
--- a/Documents/bin/assume-role
+++ b/Documents/bin/assume-role
+#!/bin/sh
+set -eu
+
+# This script runs the AWS assume-role command, captures the output, sets the
+# environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and
+# AWS_SESSION_TOKEN) and executes the command given.
+
+usage() {
+    echo "$(basename "$0"): [-h|--help] ROLE_ARN COMMAND [PARAMETER [PARAMETER ...]]"
+}
+
+command -v aws > /dev/null || { echo 'Cannot find the AWS CLI, exiting.' >&2; exit 1; }
+
+if [ "$#" -lt 2 ]
+then
+    usage
+    exit 1
+fi
+
+role_arn="$1"
+shift
+
+credentials="$(aws sts assume-role \
+    --output text \
+    --duration-seconds 3600 \
+    --role-arn "$role_arn" \
+    --role-session-name 'CircleCI_executor')"
+
+AWS_ACCESS_KEY_ID="$(echo "$credentials" | awk 'NR == 2 {print $2}')"
+AWS_SECRET_ACCESS_KEY="$(echo "$credentials" | awk 'NR == 2 {print $4}')"
+AWS_SESSION_TOKEN="$(echo "$credentials" | awk 'NR == 2 {print $5}')"
+
+export AWS_ACCESS_KEY_ID
+export AWS_SECRET_ACCESS_KEY
+export AWS_SESSION_TOKEN
+
+unset AWS_SECURITY_TOKEN
+
+eval exec "$@"