Aug 22, 2017 · 1 min read
I dont have my keys encrypted, but in our projects a normal user cant do anything without assume a “terraform” IAM role and to assume a role he MUST have MFA enabled.
Sadly, terraform doesnt support .aws/config file yet, but we use this trick to assume a role:
#!/usr/bin/env bashmain() {
if [ -z "$AWS_PROFILE" ]; then
echo "Set the AWS_PROFILE environment variable" 1>&2
return 1
fi
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
for i in source_profile role_arn mfa_serial; do
local $i=$(cat ~/.aws/config | grep -A 3 profile\ ${AWS_PROFILE}]$ | grep -v profile\ ${AWS_PROFILE}] | grep $i | awk -F" = " '{print local $2}')
done
local token_codeecho -n "Enter MFA Code: "
read -s token_codetemporary_credentials="$(aws --profile ${source_profile}\
sts assume-role \
--role-arn="${role_arn}" \
--serial-number="${mfa_serial}" \
--token-code="${token_code}" \
--role-session-name="terraform-access"
)"export "AWS_ACCESS_KEY_ID=$(echo "${temporary_credentials}" | jq -re '.Credentials.AccessKeyId')"
export "AWS_SECRET_ACCESS_KEY=$(echo "${temporary_credentials}" | jq -re '.Credentials.SecretAccessKey')"
export "AWS_SESSION_TOKEN=$(echo "${temporary_credentials}" | jq -re '.Credentials.SessionToken')"
}
main