API tools faq
paste
Guest User

Untitled

a guest
Sep 19th, 2018
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.80 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env ansible-playbook -c local
  2. #
  3. # AWS STS token update playbook.
  4. #
  5. # Updating AWS session tokens with STS can be a pain. But MFA is good. So let's
  6. # automate the management of the .aws/credentials file to make it not painful!
  7. #
  8. # Usage:
  9. #
  10. # 1. Save this to a file like /usr/local/bin/aws-sts-token
  11. # 2. Make the file executable (chmod +x /usr/local/bin/aws-sts-token)
  12. # 3. Run the command:
  13. #
  14. # ./aws-sts-token -e aws_userarn=ARN_FROM_IAM -e aws_profile=PROFILE -e aws_sts_profile=STS_PROFILE -e token_code=TOKEN
  15. #
  16. # Options:
  17. # - ARN_FROM_IAM: Your AWS user account ARN, like "arn:aws:iam::241312619141:mfa/geerlingguy"
  18. # - PROFILE: AWS credentials profile, like "personal"
  19. # - STS_PROFILE: AWS credentials profile for STS, like "default"
  20. # - TOKEN: One-time token from your MFA device
  21. #
  22. # For even more awesome, add to your bash .profile:
  23. #
  24. # # AWS STS Token.
  25. # function awssts() {
  26. # if [[ ! "$1" ]] ; then
  27. # echo "You must supply a token code."
  28. # return 0
  29. # fi
  30. #
  31. # aws-sts-token -e aws_userarn=ARN_FROM_IAM -e aws_profile=PROFILE -e aws_sts_profile=STS_PROFILE -e token_code=$1
  32. # return 0
  33. # }
  34. #
  35. # Then you can just run `awssts TOKEN` and it will update your profile.
  36. ---
  37. - hosts: localhost
  38. become: no
  39. gather_facts: no
  40.  
  41. vars:
  42. aws_userarn: ''
  43. aws_profile: ''
  44. aws_sts_profile: ''
  45. token_code: ''
  46.  
  47. tasks:
  48. - name: Get STS session token.
  49. command: aws sts get-session-token --serial-number {{ aws_userarn }} --profile {{ aws_profile }} --token-code {{ token_code }}
  50. register: sts_session_creds
  51.  
  52. - debug: var=(sts_session_creds.stdout|from_json)
  53.  
  54. - name: Print session token.
  55. set_fact:
  56. secret_access_key: "{{ (sts_session_creds.stdout|from_json)['Credentials']['SecretAccessKey'] }}"
  57. session_token: "{{ (sts_session_creds.stdout|from_json)['Credentials']['SessionToken'] }}"
  58. access_key_id: "{{ (sts_session_creds.stdout|from_json)['Credentials']['AccessKeyId'] }}"
  59. expiration: "{{ (sts_session_creds.stdout|from_json)['Credentials']['Expiration'] }}"
  60.  
  61. - name: Print token expiration date
  62. debug:
  63. msg: "Token expires at {{ expiration }}"
  64.  
  65. - name: Print all the credentials for debug (only with -vv).
  66. debug:
  67. var: "{{ item }}"
  68. verbosity: 2
  69. with_items:
  70. - access_key_id
  71. - secret_access_key
  72. - session_token
  73.  
  74. - name: Update credentials in .aws/credentials file.
  75. blockinfile:
  76. path: ~/.aws/credentials
  77. marker: "# ANSIBLE MANAGED PROFILE: {{ aws_sts_profile }} {mark}"
  78. insertafter: EOF
  79. backup: yes
  80. block: |
  81. [{{ aws_sts_profile }}]
  82. aws_access_key_id={{ access_key_id }}
  83. aws_secret_access_key={{ secret_access_key }}
  84. aws_session_token={{ session_token }}
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!