sync-dynamodb/aws-env.sh at main · ZPVIP/sync-dynamodb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash

# Check argument for unauth
if [[ "$1" == "unauth" ]]; then
  echo "==> Clearing AWS session credentials..."
  unset AWS_ACCESS_KEY_ID
  unset AWS_SECRET_ACCESS_KEY
  unset AWS_SESSION_TOKEN
  unset AWS_REGION
  echo "==> Done."
  return 0 2>/dev/null || exit 0
fi

# Check if script is sourced (only enforce sourcing for auth, unauth works either way but better sourced)
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
  echo "Error: This script must be sourced, not executed directly."
  echo "Usage:"
  echo "  source ./aws-env.sh [code]   # Authenticate"
  echo "  source ./aws-env.sh unauth   # Clear credentials"
  exit 1
fi

# Load .env file if it exists
if [[ -f .env ]]; then
  set -a
  source .env
  set +a
fi

# Check for MFA_DEVICE_ARN
if [[ -z "${MFA_DEVICE_ARN}" ]]; then
  echo "Error: MFA_DEVICE_ARN is not set. Please set it in .env or environment."
  return 1
fi

MFA_CODE="$1"

# Interactive prompt for MFA code if not provided
if [[ -z "${MFA_CODE}" ]]; then
  # Use printf to ensure compatibility with Zsh (where read -p means read from coprocess)
  printf "Enter MFA Code: "
  read MFA_CODE
fi

if [[ -z "${MFA_CODE}" ]]; then
  echo "Error: MFA Code is required."
  return 1
fi

# Get session token
echo "==> Authenticating with MFA..."

# Unset existing session credentials if any, otherwise STS call will fail
# because you cannot call GetSessionToken using temporary credentials.
unset AWS_SESSION_TOKEN
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

CREDENTIALS=$(aws sts get-session-token \
  --serial-number "${MFA_DEVICE_ARN}" \
  --token-code "${MFA_CODE}" \
  --output json)

if [[ $? -ne 0 ]]; then
  echo "Error: Failed to get session token."
  return 1
fi

# Parse credential
ACCESS_KEY=$(echo "${CREDENTIALS}" | jq -r '.Credentials.AccessKeyId')
SECRET_KEY=$(echo "${CREDENTIALS}" | jq -r '.Credentials.SecretAccessKey')
SESSION_TOKEN=$(echo "${CREDENTIALS}" | jq -r '.Credentials.SessionToken')

# Export variables
export AWS_ACCESS_KEY_ID="${ACCESS_KEY}"
export AWS_SECRET_ACCESS_KEY="${SECRET_KEY}"
export AWS_SESSION_TOKEN="${SESSION_TOKEN}"
export AWS_REGION="${REGION}"

echo
echo "==> Success! AWS session variables exported."
echo
echo "==> Access Key: ${ACCESS_KEY}"
echo "==> Region: ${REGION}"
echo
echo "==> You can run following commands to verify the session token:"
echo "echo && echo AWS_ACCESS_KEY_ID: \$AWS_ACCESS_KEY_ID && echo && echo AWS_SECRET_ACCESS_KEY: \$AWS_SECRET_ACCESS_KEY && echo && echo AWS_REGION: \$AWS_REGION && echo && echo AWS_SESSION_TOKEN: \$AWS_SESSION_TOKEN"
echo
echo "==> You can now run ./sync-dynamodb.sh"