add saml2aws_generate_config.sh script (#62)

* add saml2aws_generate_config.sh script * improve and format code
quortex · Mar 22, 2023 · 74a0481 · 74a0481
1 parent 736a4e6
commit 74a0481
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -154,6 +154,7 @@ Available options :
 Provision the resources needed to store terraform states on AZURE.
 
 A container on Azure Storage Account will be created. State locking is support by default.
+
 ### Usage
 
 ```
@@ -168,7 +169,7 @@ Available options :
  -st The name of Storage Account.
  -ct The name of Container.
  -h Display this help.
-
+```
 
 If you have probleme with write access of state, go to portal.azure.com and assign you the rights "Storage Blob Data Owner" to the subscription or on the storage account.
 
@@ -192,3 +193,25 @@ Available options :
  -c CLUSTER_NAME Set the name of the cluster (default ${CLUSTER_NAME}).
  -h Display this help.
 ```
+
+---
+
+## saml2aws_generate_config
+
+This script is based on [saml2aws](https://github.com/Versent/saml2aws) in order to list the available roles and automatically generate a config for aws cli containing the profiles matching the different accounts / roles.
+
+Generated profiles are configured to source credentials from saml2aws automatically (see [Sourcing credentials with an external process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html)).
+
+### Usage
+
+Display the config :
+
+```
+./saml2aws_generate_config.sh
+```
+
+Overwrite your current AWS cli config:
+
+```
+./saml2aws_generate_config.sh ~/.aws/config
+```
diff --git a/saml2aws_generate_config.sh b/saml2aws_generate_config.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# This script is based on saml2aws in order to list the available roles and
+# automatically generate a config for aws cli containing the profiles matching
+# the different accounts / roles. Generated profiles use the credential_process
+# feature to execute saml2aws login automatically.
+
+set -euo pipefail
+
+ACCOUNT_REGEX="^Account: ([^[:space:]]*).*"
+ROLE_REGEX="arn:aws:iam::.*:role\/([^[:space:]]*)"
+account=
+
+# Retrieve role list from saml2aws
+roles_list=$(saml2aws list-roles --skip-prompt)
+num_lines=$(echo "$roles_list" | wc -l)
+current_line=0
+
+# Iterate over role list to generate aws config
+echo "$roles_list" | while read -r line; do
+ current_line=$((${current_line} + 1))
+
+ # Capture AWS account alias
+ if [[ $line =~ $ACCOUNT_REGEX ]]; then
+ account="${BASH_REMATCH[1]}"
+ echo "## ${line}"
+ echo "##"
+ fi
+
+ # Capture role name
+ if [[ $line =~ $ROLE_REGEX ]]; then
+ role_arn=$line
+ role_name="${BASH_REMATCH[1]}"
+ profile="${account}/${role_name}"
+ echo "[profile ${profile}]"
+ echo "output = json"
+ echo "credential_process = saml2aws login --skip-prompt --quiet --credential-process --role ${role_arn} --profile ${profile}-saml2aws"
+ if [[ $current_line -ne $num_lines ]]; then
+ echo ""
+ fi
+ fi
+done