· 9 years ago · Oct 09, 2016, 05:46 PM
1#!/bin/bash
2#
3# Assume the given role, and print out a set of environment variables
4# for use with aws cli.
5#
6# To use:
7#
8# $ eval $(./iam-assume-role.sh)
9#
10
11set -e
12
13# Clear out existing AWS session environment, or the awscli call will fail
14unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
15# Old ec2 tools use other env vars
16unset AWS_ACCESS_KEY AWS_SECRET_KEY AWS_DELEGATION_TOKEN
17
18ROLE="${1:-SecurityMonkey}"
19ACCOUNT="${2:-123456789}"
20DURATION="${3:-900}"
21NAME="${4:-$LOGNAME@`hostname -s`}"
22
23# KST=access*K*ey, *S*ecretkey, session*T*oken
24KST=(`aws sts assume-role --role-arn "arn:aws:iam::$ACCOUNT:role/$ROLE" \
25 --role-session-name "$NAME" \
26 --duration-seconds $DURATION \
27 --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
28 --output text`)
29
30echo 'export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-us-east-1}'
31echo "export AWS_ACCESS_KEY_ID='${KST[0]}'"
32echo "export AWS_ACCESS_KEY='${KST[0]}'"
33echo "export AWS_SECRET_ACCESS_KEY='${KST[1]}'"
34echo "export AWS_SECRET_KEY='${KST[1]}'"
35echo "export AWS_SESSION_TOKEN='${KST[2]}'" # older var seems to work the same way
36echo "export AWS_SECURITY_TOKEN='${KST[2]}'"
37echo "export AWS_DELEGATION_TOKEN='${KST[2]}'"