123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 |
- function agp() {
- echo $AWS_PROFILE
- }
- # AWS profile selection
- function asp() {
- if [[ -z "$1" ]]; then
- unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
- echo AWS profile cleared.
- return
- fi
- local -a available_profiles
- available_profiles=($(aws_profiles))
- if [[ -z "${available_profiles[(r)$1]}" ]]; then
- echo "${fg[red]}Profile '$1' not found in '${AWS_CONFIG_FILE:-$HOME/.aws/config}'" >&2
- echo "Available profiles: ${(j:, :)available_profiles:-no profiles found}${reset_color}" >&2
- return 1
- fi
- export AWS_DEFAULT_PROFILE=$1
- export AWS_PROFILE=$1
- export AWS_EB_PROFILE=$1
- if [[ "$2" == "login" ]]; then
- aws sso login
- fi
- }
- # AWS profile switch
- function acp() {
- if [[ -z "$1" ]]; then
- unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
- unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
- echo AWS profile cleared.
- return
- fi
- local -a available_profiles
- available_profiles=($(aws_profiles))
- if [[ -z "${available_profiles[(r)$1]}" ]]; then
- echo "${fg[red]}Profile '$1' not found in '${AWS_CONFIG_FILE:-$HOME/.aws/config}'" >&2
- echo "Available profiles: ${(j:, :)available_profiles:-no profiles found}${reset_color}" >&2
- return 1
- fi
- local profile="$1"
- local mfa_token="$2"
- # Get fallback credentials for if the aws command fails or no command is run
- local aws_access_key_id="$(aws configure get aws_access_key_id --profile $profile)"
- local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $profile)"
- local aws_session_token="$(aws configure get aws_session_token --profile $profile)"
- # First, if the profile has MFA configured, lets get the token and session duration
- local mfa_serial="$(aws configure get mfa_serial --profile $profile)"
- local sess_duration="$(aws configure get duration_seconds --profile $profile)"
- if [[ -n "$mfa_serial" ]]; then
- local -a mfa_opt
- if [[ -z "$mfa_token" ]]; then
- echo -n "Please enter your MFA token for $mfa_serial: "
- read -r mfa_token
- fi
- if [[ -z "$sess_duration" ]]; then
- echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): "
- read -r sess_duration
- fi
- mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}")
- fi
- # Now see whether we need to just MFA for the current role, or assume a different one
- local role_arn="$(aws configure get role_arn --profile $profile)"
- local sess_name="$(aws configure get role_session_name --profile $profile)"
- if [[ -n "$role_arn" ]]; then
- # Means we need to assume a specified role
- aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}")
- # Check whether external_id is configured to use while assuming the role
- local external_id="$(aws configure get external_id --profile $profile)"
- if [[ -n "$external_id" ]]; then
- aws_command+=(--external-id "$external_id")
- fi
- # Get source profile to use to assume role
- local source_profile="$(aws configure get source_profile --profile $profile)"
- if [[ -z "$sess_name" ]]; then
- sess_name="${source_profile:-profile}"
- fi
- aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}")
- echo "Assuming role $role_arn using profile ${source_profile:-profile}"
- else
- # Means we only need to do MFA
- aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}")
- echo "Obtaining session token for profile $profile"
- fi
- # Format output of aws command for easier processing
- aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text)
- # Run the aws command to obtain credentials
- local -a credentials
- credentials=(${(ps:\t:)"$(${aws_command[@]})"})
- if [[ -n "$credentials" ]]; then
- aws_access_key_id="${credentials[1]}"
- aws_secret_access_key="${credentials[2]}"
- aws_session_token="${credentials[3]}"
- fi
- # Switch to AWS profile
- if [[ -n "${aws_access_key_id}" && -n "$aws_secret_access_key" ]]; then
- export AWS_DEFAULT_PROFILE="$profile"
- export AWS_PROFILE="$profile"
- export AWS_EB_PROFILE="$profile"
- export AWS_ACCESS_KEY_ID="$aws_access_key_id"
- export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key"
- if [[ -n "$aws_session_token" ]]; then
- export AWS_SESSION_TOKEN="$aws_session_token"
- else
- unset AWS_SESSION_TOKEN
- fi
- echo "Switched to AWS Profile: $profile"
- fi
- }
- function aws_change_access_key() {
- if [[ -z "$1" ]]; then
- echo "usage: $0 <profile>"
- return 1
- fi
- echo "Insert the credentials when asked."
- asp "$1" || return 1
- AWS_PAGER="" aws iam create-access-key
- AWS_PAGER="" aws configure --profile "$1"
- echo "You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\`"
- echo "Your current keys are:"
- AWS_PAGER="" aws iam list-access-keys
- }
- function aws_profiles() {
- [[ -r "${AWS_CONFIG_FILE:-$HOME/.aws/config}" ]] || return 1
- grep --color=never -Eo '\[.*\]' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" | sed -E 's/^[[:space:]]*\[(profile)?[[:space:]]*([-_[:alnum:]\.@]+)\][[:space:]]*$/\2/g'
- }
- function _aws_profiles() {
- reply=($(aws_profiles))
- }
- compctl -K _aws_profiles asp acp aws_change_access_key
- # AWS prompt
- function aws_prompt_info() {
- [[ -n "$AWS_PROFILE" ]] || return
- echo "${ZSH_THEME_AWS_PREFIX:=<aws:}${AWS_PROFILE:gs/%/%%}${ZSH_THEME_AWS_SUFFIX:=>}"
- }
- if [[ "$SHOW_AWS_PROMPT" != false && "$RPROMPT" != *'$(aws_prompt_info)'* ]]; then
- RPROMPT='$(aws_prompt_info)'"$RPROMPT"
- fi
- # Load awscli completions
- # AWS CLI v2 comes with its own autocompletion. Check if that is there, otherwise fall back
- if command -v aws_completer &> /dev/null; then
- autoload -Uz bashcompinit && bashcompinit
- complete -C aws_completer aws
- else
- function _awscli-homebrew-installed() {
- # check if Homebrew is installed
- (( $+commands[brew] )) || return 1
- # speculatively check default brew prefix
- if [ -h /usr/local/opt/awscli ]; then
- _brew_prefix=/usr/local/opt/awscli
- else
- # ok, it is not in the default prefix
- # this call to brew is expensive (about 400 ms), so at least let's make it only once
- _brew_prefix=$(brew --prefix awscli)
- fi
- }
- # get aws_zsh_completer.sh location from $PATH
- _aws_zsh_completer_path="$commands[aws_zsh_completer.sh]"
- # otherwise check common locations
- if [[ -z $_aws_zsh_completer_path ]]; then
- # Homebrew
- if _awscli-homebrew-installed; then
- _aws_zsh_completer_path=$_brew_prefix/libexec/bin/aws_zsh_completer.sh
- # Ubuntu
- elif [[ -e /usr/share/zsh/vendor-completions/_awscli ]]; then
- _aws_zsh_completer_path=/usr/share/zsh/vendor-completions/_awscli
- # NixOS
- elif [[ -e "${commands[aws]:P:h:h}/share/zsh/site-functions/aws_zsh_completer.sh" ]]; then
- _aws_zsh_completer_path="${commands[aws]:P:h:h}/share/zsh/site-functions/aws_zsh_completer.sh"
- # RPM
- else
- _aws_zsh_completer_path=/usr/share/zsh/site-functions/aws_zsh_completer.sh
- fi
- fi
- [[ -r $_aws_zsh_completer_path ]] && source $_aws_zsh_completer_path
- unset _aws_zsh_completer_path _brew_prefix
- fi
|