-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Automatically source env vars + OSX support fixes (#25)
- Loading branch information
1 parent
031e52e
commit beaf240
Showing
1 changed file
with
43 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,56 @@ | ||
| aws-sso-creds() { | ||
| local account_id role_name access_token region | ||
| account_id="$(aws configure get sso_account_id --profile ${AWS_PROFILE})" | ||
| role_name="$(aws configure get sso_role_name --profile ${AWS_PROFILE})" | ||
| region="$(aws configure get region --profile ${AWS_PROFILE})" | ||
| access_token="$( \ | ||
| \ls -c "${HOME}/.aws/sso/cache/" | grep -v botocore \ | ||
| | sort -nr | cut -d' ' -f2 | head -n1 \ | ||
| | xargs -I{} jq -r .accessToken ${HOME}/.aws/sso/cache/{} | ||
| )" | ||
| aws sso get-role-credentials \ | ||
| unset \ | ||
| AWS_ACCESS_KEY_ID \ | ||
| AWS_SECRET_ACCESS_KEY \ | ||
| AWS_SESSION_TOKEN \ | ||
| AWS_CREDENTIALS_EXPIRATION \ | ||
| AWS_REGION | ||
|
|
||
| local profile | ||
| profile="${1:-${AWS_PROFILE}}" | ||
| if [[ -z "${profile}" ]]; then | ||
| >&2 echo ":: missing profile" | ||
| return 1 | ||
| fi | ||
|
|
||
| local account_id role_name region start_url | ||
| account_id="$(aws configure get sso_account_id --profile ${profile})" | ||
| role_name="$(aws configure get sso_role_name --profile ${profile})" | ||
| region="$(aws configure get region --profile ${profile})" | ||
| region="${region:-us-east-1}" | ||
| start_url="$(aws configure get sso_start_url --profile "${profile}")" | ||
|
|
||
| if [ -z "$start_url" ] ; then | ||
| >&2 echo ":: missing sso_start_url for profile ${profile}" | ||
| return 1 | ||
| fi | ||
|
|
||
| local cache_sha cache_file | ||
| cache_sha="$(echo -n "$start_url" | sha1sum | awk '{print $1}')" | ||
| cache_file="${HOME}/.aws/sso/cache/${cache_sha}.json" | ||
|
|
||
| local access_token payload | ||
| access_token="$(<"${cache_file}" jq -rM '.accessToken')" | ||
| # the . /dev/stdin <<< "$(cat <())" hack is for OSX bash 3.2 | ||
| # https://stackoverflow.com/questions/32596123/why-source-command-doesnt-work-with-process-substitution-in-bash-3-2 | ||
| payload="$(aws sso get-role-credentials \ | ||
| --account-id "${account_id}" \ | ||
| --role-name "${role_name}" \ | ||
| --region "${region:-us-east-1}" \ | ||
| --region "${region}" \ | ||
| --access-token "${access_token}" \ | ||
| --no-sign-request \ | ||
| --output json \ | ||
| | jq -r '.roleCredentials | | ||
| | jq -rM '.roleCredentials | | ||
| { | ||
| "AWS_ACCESS_KEY_ID": .accessKeyId, | ||
| "AWS_SECRET_ACCESS_KEY": .secretAccessKey, | ||
| "AWS_SESSION_TOKEN": .sessionToken, | ||
| "AWS_CREDENTIALS_EXPIRATION": (.expiration / 1000 | todate) | ||
| } | keys[] as $k | "export \($k)=\(.[$k])"' | ||
| )" | ||
| if [[ -n "${payload}" ]]; then | ||
| . /dev/stdin <<<"$(echo "${payload}")" | ||
| export AWS_REGION="${region}" | ||
| unset AWS_PROFILE | ||
| fi | ||
| } |