ghndrx/devops-scripts
1
0
Fork 0
mirror of https://github.com/ghndrx/devops-scripts.git synced 2026-02-10 06:44:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(aws): add assume-role.sh with MFA support and session caching

Browse Source 
- MFA token prompting with auto-detection
- Session caching to ~/.aws/cli/cache (5-min buffer)
- Cross-account support with external-id
- Eval-friendly output for shell sourcing
- AWS CLI profile-aware
- Configurable session duration (up to 12h)
- Comprehensive README with usage examples
This commit is contained in:
Greg Hendrickson
2026-02-03 18:01:40 +00:00
parent d0fa7d9197
commit bcb0973cdb
2 changed files with 331 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
aws/README.md Normal file
View File

@@ -0,0 +1,78 @@
# AWS Scripts
AWS CLI helper scripts for common operations.
## assume-role.sh
Production-ready role assumption with MFA support and session caching.
### Features
- **MFA Support**: Prompts for TOTP code, auto-detects MFA device
- **Session Caching**: Avoids re-authentication within session duration
- **Cross-Account**: Supports external-id for cross-account roles
- **Profile-Aware**: Works with AWS CLI named profiles
- **Eval-Friendly**: Output designed for `eval` or `source`
### Usage
```bash
# Basic - source to set env vars in current shell
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole
# Eval alternative
eval "$(./assume-role.sh arn:aws:iam::123456789012:role/AdminRole)"
# With MFA (will prompt for code)
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--mfa-serial arn:aws:iam::123456789012:mfa/myuser
# Cross-account with external-id
source assume-role.sh arn:aws:iam::987654321098:role/CrossAccountRole \
--external-id MyExternalId123
# Extended session (up to 12 hours)
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--duration 43200
# With specific profile and region
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--profile production \
--region us-west-2
```
### Options
| Option | Description |
|--------|-------------|
| `-m, --mfa-serial` | MFA device ARN (auto-detected if not specified) |
| `-e, --external-id` | External ID for cross-account trust |
| `-d, --duration` | Session duration in seconds (default: 3600) |
| `-s, --session-name` | Session name identifier |
| `-p, --profile` | AWS CLI profile for source credentials |
| `-r, --region` | AWS region |
| `-c, --no-cache` | Disable session caching |
| `-v, --verbose` | Verbose output |
### Session Caching
Credentials are cached in `~/.aws/cli/cache/` and reused if more than 5 minutes remain before expiration. Use `--no-cache` to force fresh credentials.
### Requirements
- AWS CLI v2
- jq
- Valid AWS credentials (profile or environment)
### Environment Variables Set
After sourcing, these variables are exported:
```bash
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_CREDENTIAL_EXPIRATION
```
`AWS_PROFILE` is unset to prevent conflicts with temporary credentials.