mirror of
https://github.com/ghndrx/devops-scripts.git
synced 2026-02-10 14:55:00 +00:00
bcb0973cdb
- MFA token prompting with auto-detection - Session caching to ~/.aws/cli/cache (5-min buffer) - Cross-account support with external-id - Eval-friendly output for shell sourcing - AWS CLI profile-aware - Configurable session duration (up to 12h) - Comprehensive README with usage examples
AWS Scripts
AWS CLI helper scripts for common operations.
assume-role.sh
Production-ready role assumption with MFA support and session caching.
Features
- MFA Support: Prompts for TOTP code, auto-detects MFA device
- Session Caching: Avoids re-authentication within session duration
- Cross-Account: Supports external-id for cross-account roles
- Profile-Aware: Works with AWS CLI named profiles
- Eval-Friendly: Output designed for
evalorsource
Usage
# Basic - source to set env vars in current shell
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole
# Eval alternative
eval "$(./assume-role.sh arn:aws:iam::123456789012:role/AdminRole)"
# With MFA (will prompt for code)
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--mfa-serial arn:aws:iam::123456789012:mfa/myuser
# Cross-account with external-id
source assume-role.sh arn:aws:iam::987654321098:role/CrossAccountRole \
--external-id MyExternalId123
# Extended session (up to 12 hours)
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--duration 43200
# With specific profile and region
source assume-role.sh arn:aws:iam::123456789012:role/AdminRole \
--profile production \
--region us-west-2
Options
| Option | Description |
|---|---|
-m, --mfa-serial |
MFA device ARN (auto-detected if not specified) |
-e, --external-id |
External ID for cross-account trust |
-d, --duration |
Session duration in seconds (default: 3600) |
-s, --session-name |
Session name identifier |
-p, --profile |
AWS CLI profile for source credentials |
-r, --region |
AWS region |
-c, --no-cache |
Disable session caching |
-v, --verbose |
Verbose output |
Session Caching
Credentials are cached in ~/.aws/cli/cache/ and reused if more than 5 minutes remain before expiration. Use --no-cache to force fresh credentials.
Requirements
- AWS CLI v2
- jq
- Valid AWS credentials (profile or environment)
Environment Variables Set
After sourcing, these variables are exported:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_CREDENTIAL_EXPIRATION
AWS_PROFILE is unset to prevent conflicts with temporary credentials.