From 23f9348e2c2341df71b1891eb4607f60ddd5a204 Mon Sep 17 00:00:00 2001 From: Sergei Shvetsov Date: Tue, 13 Jul 2021 15:05:33 +0700 Subject: [PATCH] fix(aws): allow for profile switch w/o MFA configured (#9924) --- plugins/aws/aws.plugin.zsh | 66 +++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/plugins/aws/aws.plugin.zsh b/plugins/aws/aws.plugin.zsh index e1566b11..2d095635 100644 --- a/plugins/aws/aws.plugin.zsh +++ b/plugins/aws/aws.plugin.zsh @@ -62,47 +62,47 @@ function acp() { read -r sess_duration fi mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}") + fi - # Now see whether we need to just MFA for the current role, or assume a different one - local role_arn="$(aws configure get role_arn --profile $profile)" - local sess_name="$(aws configure get role_session_name --profile $profile)" - - if [[ -n "$role_arn" ]]; then - # Means we need to assume a specified role - aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}") + # Now see whether we need to just MFA for the current role, or assume a different one + local role_arn="$(aws configure get role_arn --profile $profile)" + local sess_name="$(aws configure get role_session_name --profile $profile)" - # Check whether external_id is configured to use while assuming the role - local external_id="$(aws configure get external_id --profile $profile)" - if [[ -n "$external_id" ]]; then - aws_command+=(--external-id "$external_id") - fi + if [[ -n "$role_arn" ]]; then + # Means we need to assume a specified role + aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}") - # Get source profile to use to assume role - local source_profile="$(aws configure get source_profile --profile $profile)" - if [[ -z "$sess_name" ]]; then - sess_name="${source_profile:-profile}" - fi - aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}") + # Check whether external_id is configured to use while assuming the role + local external_id="$(aws configure get external_id --profile $profile)" + if [[ -n "$external_id" ]]; then + aws_command+=(--external-id "$external_id") + fi - echo "Assuming role $role_arn using profile ${source_profile:-profile}" - else - # Means we only need to do MFA - aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}") - echo "Obtaining session token for profile $profile" + # Get source profile to use to assume role + local source_profile="$(aws configure get source_profile --profile $profile)" + if [[ -z "$sess_name" ]]; then + sess_name="${source_profile:-profile}" fi + aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}") - # Format output of aws command for easier processing - aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text) + echo "Assuming role $role_arn using profile ${source_profile:-profile}" + else + # Means we only need to do MFA + aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}") + echo "Obtaining session token for profile $profile" + fi - # Run the aws command to obtain credentials - local -a credentials - credentials=(${(ps:\t:)"$(${aws_command[@]})"}) + # Format output of aws command for easier processing + aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text) - if [[ -n "$credentials" ]]; then - aws_access_key_id="${credentials[1]}" - aws_secret_access_key="${credentials[2]}" - aws_session_token="${credentials[3]}" - fi + # Run the aws command to obtain credentials + local -a credentials + credentials=(${(ps:\t:)"$(${aws_command[@]})"}) + + if [[ -n "$credentials" ]]; then + aws_access_key_id="${credentials[1]}" + aws_secret_access_key="${credentials[2]}" + aws_session_token="${credentials[3]}" fi # Switch to AWS profile -- GitLab