From fcb6fa78a1304f9a8eff2a7563658de04a13d499 Mon Sep 17 00:00:00 2001 From: Maksym Date: Sat, 24 Oct 2020 22:07:49 +0100 Subject: aws: add role delegation and MFA support as per IAM Best Practices (#8419) * Added role delegation support and MFA support as per IAM Best Practices * fix: grep with color enabled breaks profile parsing * fix: compatible with MacOS basic sed * docs: Added jq as a dependency * feat: added variable session duration, if the role to be assumed permits it. * bug: incorrect assigment for session length * fix: profile extraction failed with some versions of sed Fixed the issue that resulted from merging upstream changes to allow "." in the profile name * fix: broken profile parsing when profile name contains "@" --- plugins/aws/README.md | 2 +- plugins/aws/aws.plugin.zsh | 62 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 58 insertions(+), 6 deletions(-) (limited to 'plugins/aws') diff --git a/plugins/aws/README.md b/plugins/aws/README.md index 57c3b54ac..4ceb71425 100644 --- a/plugins/aws/README.md +++ b/plugins/aws/README.md @@ -3,7 +3,7 @@ This plugin provides completion support for [awscli](https://docs.aws.amazon.com/cli/latest/reference/index.html) and a few utilities to manage AWS profiles and display them in the prompt. -To use it, add `aws` to the plugins array in your zshrc file. +To use it, make sure [jq](https://stedolan.github.io/jq/download/) is installed, and add `aws` to the plugins array in your zshrc file. ```zsh plugins=(... aws) diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index 7994963c3..8a68bf0d8 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -5,7 +5,7 @@ function agp() { # AWS profile selection function asp() { if [[ -z "$1" ]]; then - unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE + unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN echo AWS profile cleared. return fi @@ -18,9 +18,61 @@ function asp() { return 1 fi - export AWS_DEFAULT_PROFILE=$1 - export AWS_PROFILE=$1 - export AWS_EB_PROFILE=$1 + local exists="$(aws configure get aws_access_key_id --profile $1)" + local role_arn="$(aws configure get role_arn --profile $1)" + local aws_access_key_id="" + local aws_secret_access_key="" + local aws_session_token="" + if [[ -n $exists || -n $role_arn ]]; then + if [[ -n $role_arn ]]; then + local mfa_serial="$(aws configure get mfa_serial --profile $1)" + local mfa_token="" + local mfa_opt="" + if [[ -n $mfa_serial ]]; then + echo "Please enter your MFA token for $mfa_serial:" + read mfa_token + echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):" + read sess_duration + if [[ -z $sess_duration ]]; then + sess_duration = 3600 + fi + mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration" + fi + + local ext_id="$(aws configure get external_id --profile $1)" + local extid_opt="" + if [[ -n $ext_id ]]; then + extid_opt="--external-id $ext_id" + fi + + local profile=$1 + local source_profile="$(aws configure get source_profile --profile $1)" + if [[ -n $source_profile ]]; then + profile=$source_profile + fi + + echo "Assuming role $role_arn using profile $profile" + local assume_cmd=(aws sts assume-role "--profile=$profile" "--role-arn $role_arn" "--role-session-name "$profile"" "$mfa_opt" "$extid_opt") + local JSON="$(eval ${assume_cmd[@]})" + + aws_access_key_id="$(echo $JSON | jq -r '.Credentials.AccessKeyId')" + aws_secret_access_key="$(echo $JSON | jq -r '.Credentials.SecretAccessKey')" + aws_session_token="$(echo $JSON | jq -r '.Credentials.SessionToken')" + else + aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)" + aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)" + aws_session_token="" + fi + + export AWS_DEFAULT_PROFILE=$1 + export AWS_PROFILE=$1 + export AWS_EB_PROFILE=$1 + export AWS_ACCESS_KEY_ID=$aws_access_key_id + export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key + [[ -z "$aws_session_token" ]] && unset AWS_SESSION_TOKEN || export AWS_SESSION_TOKEN=$aws_session_token + + echo "Switched to AWS Profile: $1"; + fi } function aws_change_access_key() { @@ -41,7 +93,7 @@ function aws_change_access_key() { function aws_profiles() { [[ -r "${AWS_CONFIG_FILE:-$HOME/.aws/config}" ]] || return 1 - grep '\[profile' "${AWS_CONFIG_FILE:-$HOME/.aws/config}"|sed -e 's/.*profile \([a-zA-Z0-9@_\.-]*\).*/\1/' + grep --color=never -Eo '\[.*\]' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" | sed -E 's/^[[:space:]]*\[(profile)?[[:space:]]*([-_[:alnum:]\.@]+)\][[:space:]]*$/\2/g' } function _aws_profiles() { -- cgit v1.2.3-70-g09d2 From 77f74570512ab9fef0669c23e8613f204c992d48 Mon Sep 17 00:00:00 2001 From: Setu Shah Date: Thu, 29 Oct 2020 03:55:41 -0700 Subject: aws: get and set session token if available (#9397) --- plugins/aws/aws.plugin.zsh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/aws') diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index 8a68bf0d8..fe1f098e8 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -61,7 +61,7 @@ function asp() { else aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)" aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)" - aws_session_token="" + aws_session_token="$(aws configure get aws_session_token --profile $1)" fi export AWS_DEFAULT_PROFILE=$1 -- cgit v1.2.3-70-g09d2 From 852a44094a3bb4df39f8f778bc7ada2ddda09727 Mon Sep 17 00:00:00 2001 From: Maksym Date: Thu, 29 Oct 2020 21:13:36 +0000 Subject: aws: split setting profile from changing profile (#9402) the change to assume a role when it is specified in configuration broke some workflows. This fix addresses that Fixes #9394 --- plugins/aws/README.md | 7 +++++++ plugins/aws/aws.plugin.zsh | 24 +++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) (limited to 'plugins/aws') diff --git a/plugins/aws/README.md b/plugins/aws/README.md index 4ceb71425..851f586dd 100644 --- a/plugins/aws/README.md +++ b/plugins/aws/README.md @@ -15,6 +15,13 @@ plugins=(... aws) It also sets `$AWS_EB_PROFILE` to `` for the Elastic Beanstalk CLI. Run `asp` without arguments to clear the profile. +* `acp []`: in addition to `asp` functionality, it actually changes the profile by + assuming the role specified in the `` configuration. It supports MFA and sets + `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN`, if obtained. It + requires the roles to be configured as per the + [official guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). + Run `acp` without arguments to clear the profile. + * `agp`: gets the current value of `$AWS_PROFILE`. * `aws_change_access_key`: changes the AWS access key of a profile. diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index fe1f098e8..8149ba121 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -4,6 +4,27 @@ function agp() { # AWS profile selection function asp() { + if [[ -z "$1" ]]; then + unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE + echo AWS profile cleared. + return + fi + + local -a available_profiles + available_profiles=($(aws_profiles)) + if [[ -z "${available_profiles[(r)$1]}" ]]; then + echo "${fg[red]}Profile '$1' not found in '${AWS_CONFIG_FILE:-$HOME/.aws/config}'" >&2 + echo "Available profiles: ${(j:, :)available_profiles:-no profiles found}${reset_color}" >&2 + return 1 + fi + + export AWS_DEFAULT_PROFILE=$1 + export AWS_PROFILE=$1 + export AWS_EB_PROFILE=$1 +} + +# AWS profile switch +function acp() { if [[ -z "$1" ]]; then unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN echo AWS profile cleared. @@ -34,7 +55,7 @@ function asp() { echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):" read sess_duration if [[ -z $sess_duration ]]; then - sess_duration = 3600 + sess_duration="3600" fi mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration" fi @@ -100,6 +121,7 @@ function _aws_profiles() { reply=($(aws_profiles)) } compctl -K _aws_profiles asp aws_change_access_key +compctl -K _aws_profiles acp aws_change_access_key # AWS prompt function aws_prompt_info() { -- cgit v1.2.3-70-g09d2 From 3e6ee85a161c8089955c19364728e167025a911d Mon Sep 17 00:00:00 2001 From: Maksym Date: Wed, 4 Nov 2020 21:10:22 +0000 Subject: fix(aws): support MFA for profiles without role to assume (#9411) Previously, the plugin only supported MFA for profiles that had a role to assume, specified in role_arn. Now, the plugin supports MFA for profiles without a role to assume. Closes #9408 * refactor(aws plugin): remove dependency on jq Previously, acp command relied on jq. Now that dependency has been removed, as well as some linter suggestions implemented. --- plugins/aws/README.md | 6 +-- plugins/aws/aws.plugin.zsh | 106 +++++++++++++++++++++++++-------------------- 2 files changed, 62 insertions(+), 50 deletions(-) (limited to 'plugins/aws') diff --git a/plugins/aws/README.md b/plugins/aws/README.md index 851f586dd..4c2ae96e5 100644 --- a/plugins/aws/README.md +++ b/plugins/aws/README.md @@ -3,7 +3,7 @@ This plugin provides completion support for [awscli](https://docs.aws.amazon.com/cli/latest/reference/index.html) and a few utilities to manage AWS profiles and display them in the prompt. -To use it, make sure [jq](https://stedolan.github.io/jq/download/) is installed, and add `aws` to the plugins array in your zshrc file. +To use it, add `aws` to the plugins array in your zshrc file. ```zsh plugins=(... aws) @@ -40,6 +40,6 @@ plugins=(... aws) The plugin creates an `aws_prompt_info` function that you can use in your theme, which displays the current `$AWS_PROFILE`. It uses two variables to control how that is shown: -- ZSH_THEME_AWS_PREFIX: sets the prefix of the AWS_PROFILE. Defaults to ``. +* ZSH_THEME_AWS_SUFFIX: sets the suffix of the AWS_PROFILE. Defaults to `>`. diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index 8149ba121..e6959759e 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -39,60 +39,73 @@ function acp() { return 1 fi - local exists="$(aws configure get aws_access_key_id --profile $1)" + local aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)" + local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)" + local aws_session_token="$(aws configure get aws_session_token --profile $1)" + local mfa_serial="$(aws configure get mfa_serial --profile $1)" local role_arn="$(aws configure get role_arn --profile $1)" - local aws_access_key_id="" - local aws_secret_access_key="" - local aws_session_token="" - if [[ -n $exists || -n $role_arn ]]; then - if [[ -n $role_arn ]]; then - local mfa_serial="$(aws configure get mfa_serial --profile $1)" - local mfa_token="" - local mfa_opt="" - if [[ -n $mfa_serial ]]; then - echo "Please enter your MFA token for $mfa_serial:" - read mfa_token - echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):" - read sess_duration - if [[ -z $sess_duration ]]; then - sess_duration="3600" - fi - mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration" - fi - - local ext_id="$(aws configure get external_id --profile $1)" - local extid_opt="" - if [[ -n $ext_id ]]; then - extid_opt="--external-id $ext_id" - fi - - local profile=$1 - local source_profile="$(aws configure get source_profile --profile $1)" - if [[ -n $source_profile ]]; then - profile=$source_profile - fi - - echo "Assuming role $role_arn using profile $profile" - local assume_cmd=(aws sts assume-role "--profile=$profile" "--role-arn $role_arn" "--role-session-name "$profile"" "$mfa_opt" "$extid_opt") - local JSON="$(eval ${assume_cmd[@]})" - - aws_access_key_id="$(echo $JSON | jq -r '.Credentials.AccessKeyId')" - aws_secret_access_key="$(echo $JSON | jq -r '.Credentials.SecretAccessKey')" - aws_session_token="$(echo $JSON | jq -r '.Credentials.SessionToken')" - else - aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)" - aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)" - aws_session_token="$(aws configure get aws_session_token --profile $1)" + + # First, if the profile has MFA configured, lets get the token and session duration + local mfa_opt="" + + if [[ -n $mfa_serial ]]; then + local mfa_token="" + echo "Please enter your MFA token for $mfa_serial:" + read -r mfa_token + echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):" + read -r sess_duration + if [[ -z $sess_duration ]]; then + sess_duration="3600" fi + mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration" + fi + + # Now see whether we need to just MFA for the current role, or assume a different one + local credentials_output="" + if [[ -n $role_arn ]]; then + # Means we need to assume a specified role + # Check whether external_id is configured to use while assuming the role + local ext_id="$(aws configure get external_id --profile $1)" + local extid_opt="" + if [[ -n $ext_id ]]; then + extid_opt="--external-id $ext_id" + fi + + # Get source profile to use to assume role + local profile=$1 + local source_profile="$(aws configure get source_profile --profile "$1")" + if [[ -n $source_profile ]]; then + profile=$source_profile + fi + + echo "Assuming role $role_arn using profile $profile" + local assume_cmd=(aws sts assume-role "--profile=$profile" "--role-arn $role_arn" "--role-session-name $profile" "$mfa_opt" "$extid_opt" + "--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'") + credentials_output="$(eval "${assume_cmd[@]}")" + elif [[ -n $mfa_opt ]]; then + # Means we only need to do MFA + echo "Obtaining session token for profile $profile" + local get_token_cmd=(aws sts get-session-token "--profile=$profile" "$mfa_opt" + "--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'") + credentials_output="$(eval "${get_token_cmd[@]}")" + fi + + if [[ -n $credentials_output ]]; then + local credentials=("${(f)credentials_output}") + aws_access_key_id=${credentials[1]} + aws_secret_access_key=${credentials[2]} + aws_session_token=${credentials[3]} + fi + + if [[ -n $aws_access_key_id && -n $aws_secret_access_key ]]; then export AWS_DEFAULT_PROFILE=$1 export AWS_PROFILE=$1 export AWS_EB_PROFILE=$1 export AWS_ACCESS_KEY_ID=$aws_access_key_id export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key [[ -z "$aws_session_token" ]] && unset AWS_SESSION_TOKEN || export AWS_SESSION_TOKEN=$aws_session_token - - echo "Switched to AWS Profile: $1"; + echo "Switched to AWS Profile: $1" fi } @@ -120,8 +133,7 @@ function aws_profiles() { function _aws_profiles() { reply=($(aws_profiles)) } -compctl -K _aws_profiles asp aws_change_access_key -compctl -K _aws_profiles acp aws_change_access_key +compctl -K _aws_profiles asp acp aws_change_access_key # AWS prompt function aws_prompt_info() { -- cgit v1.2.3-70-g09d2 From dc4692b53e4a1dc512d405f36f2d2af30c66304b Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Tue, 10 Nov 2020 23:20:51 +0100 Subject: fix(aws): fix acp function for MFA without role and other fixes (#9426) * fix(aws): don't duplicate aws_prompt_info function in RPROMPT * refactor(aws): clean up logic in acp function and fix session duration input Fixes #9409 --- plugins/aws/aws.plugin.zsh | 119 ++++++++++++++++++++++++--------------------- 1 file changed, 63 insertions(+), 56 deletions(-) (limited to 'plugins/aws') diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index e6959759e..ef435fe3b 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -26,7 +26,8 @@ function asp() { # AWS profile switch function acp() { if [[ -z "$1" ]]; then - unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN + unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE + unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN echo AWS profile cleared. return fi @@ -39,73 +40,79 @@ function acp() { return 1 fi - local aws_access_key_id="$(aws configure get aws_access_key_id --profile $1)" - local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $1)" - local aws_session_token="$(aws configure get aws_session_token --profile $1)" - local mfa_serial="$(aws configure get mfa_serial --profile $1)" - local role_arn="$(aws configure get role_arn --profile $1)" + local profile="$1" + + # Get fallback credentials for if the aws command fails or no command is run + local aws_access_key_id="$(aws configure get aws_access_key_id --profile $profile)" + local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $profile)" + local aws_session_token="$(aws configure get aws_session_token --profile $profile)" + # First, if the profile has MFA configured, lets get the token and session duration - local mfa_opt="" + local mfa_serial="$(aws configure get mfa_serial --profile $profile)" - if [[ -n $mfa_serial ]]; then - local mfa_token="" - echo "Please enter your MFA token for $mfa_serial:" + if [[ -n "$mfa_serial" ]]; then + local -a mfa_opt + local mfa_token sess_duration + echo -n "Please enter your MFA token for $mfa_serial: " read -r mfa_token - echo "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role):" + echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): " read -r sess_duration - if [[ -z $sess_duration ]]; then - sess_duration="3600" - fi - mfa_opt="--serial-number $mfa_serial --token-code $mfa_token --duration-seconds $sess_duration" - fi + mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}") - # Now see whether we need to just MFA for the current role, or assume a different one - local credentials_output="" - if [[ -n $role_arn ]]; then - # Means we need to assume a specified role + # Now see whether we need to just MFA for the current role, or assume a different one + local role_arn="$(aws configure get role_arn --profile $profile)" - # Check whether external_id is configured to use while assuming the role - local ext_id="$(aws configure get external_id --profile $1)" - local extid_opt="" - if [[ -n $ext_id ]]; then - extid_opt="--external-id $ext_id" - fi + if [[ -n "$role_arn" ]]; then + # Means we need to assume a specified role + aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}") + + # Check whether external_id is configured to use while assuming the role + local external_id="$(aws configure get external_id --profile "$profile")" + if [[ -n "$external_id" ]]; then + aws_command+=(--external-id "$external_id") + fi + + # Get source profile to use to assume role + local source_profile="$(aws configure get source_profile --profile "$profile")" + aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${source_profile:-profile}") - # Get source profile to use to assume role - local profile=$1 - local source_profile="$(aws configure get source_profile --profile "$1")" - if [[ -n $source_profile ]]; then - profile=$source_profile + echo "Assuming role $role_arn using profile ${source_profile:-profile}" + else + # Means we only need to do MFA + aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}") + echo "Obtaining session token for profile $profile" fi - echo "Assuming role $role_arn using profile $profile" - local assume_cmd=(aws sts assume-role "--profile=$profile" "--role-arn $role_arn" "--role-session-name $profile" "$mfa_opt" "$extid_opt" - "--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'") - credentials_output="$(eval "${assume_cmd[@]}")" - elif [[ -n $mfa_opt ]]; then - # Means we only need to do MFA - echo "Obtaining session token for profile $profile" - local get_token_cmd=(aws sts get-session-token "--profile=$profile" "$mfa_opt" - "--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text | tr '\t' '\n'") - credentials_output="$(eval "${get_token_cmd[@]}")" - fi + # Format output of aws command for easier processing + aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text) - if [[ -n $credentials_output ]]; then - local credentials=("${(f)credentials_output}") - aws_access_key_id=${credentials[1]} - aws_secret_access_key=${credentials[2]} - aws_session_token=${credentials[3]} + # Run the aws command to obtain credentials + local -a credentials + credentials=(${(ps:\t:)"$(${aws_command[@]})"}) + + if [[ -n "$credentials" ]]; then + aws_access_key_id="${credentials[1]}" + aws_secret_access_key="${credentials[2]}" + aws_session_token="${credentials[3]}" + fi fi - if [[ -n $aws_access_key_id && -n $aws_secret_access_key ]]; then - export AWS_DEFAULT_PROFILE=$1 - export AWS_PROFILE=$1 - export AWS_EB_PROFILE=$1 - export AWS_ACCESS_KEY_ID=$aws_access_key_id - export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key - [[ -z "$aws_session_token" ]] && unset AWS_SESSION_TOKEN || export AWS_SESSION_TOKEN=$aws_session_token - echo "Switched to AWS Profile: $1" + # Switch to AWS profile + if [[ -n "${aws_access_key_id}" && -n "$aws_secret_access_key" ]]; then + export AWS_DEFAULT_PROFILE="$profile" + export AWS_PROFILE="$profile" + export AWS_EB_PROFILE="$profile" + export AWS_ACCESS_KEY_ID="$aws_access_key_id" + export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key" + + if [[ -n "$aws_session_token" ]]; then + export AWS_SESSION_TOKEN="$aws_session_token" + else + unset AWS_SESSION_TOKEN + fi + + echo "Switched to AWS Profile: $profile" fi } @@ -141,7 +148,7 @@ function aws_prompt_info() { echo "${ZSH_THEME_AWS_PREFIX:=}" } -if [ "$SHOW_AWS_PROMPT" != false ]; then +if [[ "$SHOW_AWS_PROMPT" != false && "$RPROMPT" != *'$(aws_prompt_info)'* ]]; then RPROMPT='$(aws_prompt_info)'"$RPROMPT" fi -- cgit v1.2.3-70-g09d2 From 1beac5958ede29855ef2ac4313ada83ed37f5ea8 Mon Sep 17 00:00:00 2001 From: Rob Vadai Date: Wed, 11 Nov 2020 15:14:57 +0000 Subject: docs(aws): add config examples (#9422) --- plugins/aws/README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'plugins/aws') diff --git a/plugins/aws/README.md b/plugins/aws/README.md index 4c2ae96e5..011bbd8b4 100644 --- a/plugins/aws/README.md +++ b/plugins/aws/README.md @@ -43,3 +43,33 @@ the current `$AWS_PROFILE`. It uses two variables to control how that is shown: * ZSH_THEME_AWS_PREFIX: sets the prefix of the AWS_PROFILE. Defaults to ``. + +## Configuration + +[Configuration and credential file settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) by AWS + +### Scenario: IAM roles with a source profile and MFA authentication + +Source profile credentials in `~/.aws/credentials`: + +``` +[source-profile-name] +aws_access_key_id = ... +aws_secret_access_key = ... +``` + +Role configuration in `~/.aws/config`: + +``` +[profile source-profile-name] +mfa_serial = arn:aws:iam::111111111111:mfa/myuser +region = us-east-1 +output = json + +[profile profile-with-role] +role_arn = arn:aws:iam::9999999999999:role/myrole +mfa_serial = arn:aws:iam::111111111111:mfa/myuser +source_profile = source-profile-name +region = us-east-1 +output = json +``` -- cgit v1.2.3-70-g09d2 From ce836647e5e8b11246e2ef7069001287dc7cdd2b Mon Sep 17 00:00:00 2001 From: Roman Danyk <17525890+RomanDanyk@users.noreply.github.com> Date: Thu, 19 Nov 2020 18:24:09 +0200 Subject: feat(aws): respect optional parameters from the AWS CLI config file (#9453) --- plugins/aws/aws.plugin.zsh | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) (limited to 'plugins/aws') diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index ef435fe3b..e1566b113 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -50,32 +50,39 @@ function acp() { # First, if the profile has MFA configured, lets get the token and session duration local mfa_serial="$(aws configure get mfa_serial --profile $profile)" + local sess_duration="$(aws configure get duration_seconds --profile $profile)" if [[ -n "$mfa_serial" ]]; then local -a mfa_opt - local mfa_token sess_duration + local mfa_token echo -n "Please enter your MFA token for $mfa_serial: " read -r mfa_token - echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): " - read -r sess_duration + if [[ -z "$sess_duration" ]]; then + echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): " + read -r sess_duration + fi mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}") # Now see whether we need to just MFA for the current role, or assume a different one local role_arn="$(aws configure get role_arn --profile $profile)" + local sess_name="$(aws configure get role_session_name --profile $profile)" if [[ -n "$role_arn" ]]; then # Means we need to assume a specified role aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}") # Check whether external_id is configured to use while assuming the role - local external_id="$(aws configure get external_id --profile "$profile")" + local external_id="$(aws configure get external_id --profile $profile)" if [[ -n "$external_id" ]]; then aws_command+=(--external-id "$external_id") fi # Get source profile to use to assume role - local source_profile="$(aws configure get source_profile --profile "$profile")" - aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${source_profile:-profile}") + local source_profile="$(aws configure get source_profile --profile $profile)" + if [[ -z "$sess_name" ]]; then + sess_name="${source_profile:-profile}" + fi + aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}") echo "Assuming role $role_arn using profile ${source_profile:-profile}" else @@ -122,13 +129,13 @@ function aws_change_access_key() { return 1 fi - echo Insert the credentials when asked. + echo "Insert the credentials when asked." asp "$1" || return 1 AWS_PAGER="" aws iam create-access-key AWS_PAGER="" aws configure --profile "$1" - echo You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\` - echo Your current keys are: + echo "You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\`" + echo "Your current keys are:" AWS_PAGER="" aws iam list-access-keys } -- cgit v1.2.3-70-g09d2