-
-
Notifications
You must be signed in to change notification settings - Fork 121
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add okta support * Remove package * bash fmt
- Loading branch information
Showing
7 changed files
with
144 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
#!/usr/bin/env bash | ||
|
||
if [ "${AWS_OKTA_ENABLED}" == "true" ]; then | ||
if ! which aws-okta >/dev/null; then | ||
echo "aws-okta not installed" | ||
exit 1 | ||
fi | ||
|
||
if [ -n "${AWS_OKTA_PROFILE}" ]; then | ||
export ASSUME_ROLE=${AWS_OKTA_PROFILE} | ||
# Set the Terraform `aws_assume_role_arn` based on our current context | ||
export TF_VAR_aws_assume_role_arn=$(aws sts get-caller-identity --output text --query 'Arn' | sed 's/:sts:/:iam:/g' | sed 's,:assumed-role/,:role/,' | cut -d/ -f1-2) | ||
echo | ||
echo "* Assumed role $(green ${TF_VAR_aws_assume_role_arn})" | ||
else | ||
AWS_VAULT_ARGS=("--assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL}") | ||
[ -d /localhost/.aws-okta ] || mkdir -p /localhost/.aws-okta | ||
ln -sf /localhost/.aws-okta ${HOME} | ||
fi | ||
|
||
PROMPT_HOOKS+=("aws_okta_prompt") | ||
function aws_okta_prompt() { | ||
if [ -z "${AWS_OKTA_PROFILE}" ]; then | ||
echo -e "-> Run '$(green assume-role)' to login to AWS with aws-okta" | ||
fi | ||
} | ||
|
||
# Alias to start a shell or run a command with an assumed role | ||
function aws_okta_assume_role() { | ||
role=${1:-${AWS_DEFAULT_PROFILE}} | ||
|
||
# Do not allow nested roles | ||
if [ -n "${AWS_OKTA_PROFILE}" ]; then | ||
echo "Type '$(green exit)' before attempting to assume another role" | ||
return 1 | ||
fi | ||
|
||
if [ -z "${role}" ]; then | ||
echo "Usage: $0 [role]" | ||
return 1 | ||
fi | ||
# Sync the clock in the Docker Virtual Machine to the system's hardware clock to avoid time drift | ||
# (Only works in privileged mode) | ||
hwclock -s >/dev/null 2>&1 | ||
if [ $? -ne 0 ]; then | ||
echo "* $(yellow Failed to sync system time from hardware clock)" | ||
fi | ||
|
||
shift | ||
if [ $# -eq 0 ]; then | ||
aws-okta exec ${AWS_OKTA_ARGS[@]} $role -- bash -l | ||
else | ||
aws-okta exec ${AWS_OKTA_ARGS[@]} $role -- $* | ||
fi | ||
} | ||
|
||
function assume-role() { | ||
aws_okta_assume_role $* | ||
} | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,63 +1,70 @@ | ||
#!/bin/bash | ||
|
||
if [ -n "${AWS_VAULT}" ]; then | ||
# Set the Terraform `aws_assume_role_arn` based on our current context | ||
export TF_VAR_aws_assume_role_arn=$(aws sts get-caller-identity --output text --query 'Arn' | sed 's/:sts:/:iam:/g' | sed 's,:assumed-role/,:role/,' | cut -d/ -f1-2) | ||
echo "* Assumed role $(green ${TF_VAR_aws_assume_role_arn})" | ||
else | ||
AWS_VAULT_ARGS=("--assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL}") | ||
[ -d /localhost/.awsvault ] || mkdir -p /localhost/.awsvault | ||
ln -sf /localhost/.awsvault ${HOME} | ||
if [ "${VAULT_SERVER_ENABLED:-true}" == "true" ]; then | ||
curl -sSL --connect-timeout 0.1 -o /dev/null --stderr /dev/null http://169.254.169.254/latest/meta-data/iam/security-credentials | ||
result=$? | ||
if [ $result -ne 0 ]; then | ||
echo "* Started EC2 metadata service at $(green http://169.254.169.254/latest)" | ||
aws-vault server & | ||
AWS_VAULT_ARGS+=("--server") | ||
else | ||
echo "* EC2 metadata server already running" | ||
fi | ||
if [ "${AWS_VAULT_ENABLED}" == "true" ]; then | ||
if ! which aws-vault >/dev/null; then | ||
echo "aws-vault not installed" | ||
exit 1 | ||
fi | ||
fi | ||
|
||
PROMPT_HOOKS+=("aws_vault_prompt") | ||
function aws_vault_prompt() { | ||
if [ -z "${AWS_VAULT}" ]; then | ||
echo -e "-> Run '$(green assume-role)' to login to AWS" | ||
if [ -n "${AWS_VAULT}" ]; then | ||
export ASSUME_ROLE=${AWS_VAULT} | ||
# Set the Terraform `aws_assume_role_arn` based on our current context | ||
export TF_VAR_aws_assume_role_arn=$(aws sts get-caller-identity --output text --query 'Arn' | sed 's/:sts:/:iam:/g' | sed 's,:assumed-role/,:role/,' | cut -d/ -f1-2) | ||
echo "* Assumed role $(green ${TF_VAR_aws_assume_role_arn})" | ||
else | ||
AWS_VAULT_ARGS=("--assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL}") | ||
[ -d /localhost/.awsvault ] || mkdir -p /localhost/.awsvault | ||
ln -sf /localhost/.awsvault ${HOME} | ||
if [ "${VAULT_SERVER_ENABLED:-true}" == "true" ]; then | ||
curl -sSL --connect-timeout 0.1 -o /dev/null --stderr /dev/null http://169.254.169.254/latest/meta-data/iam/security-credentials | ||
result=$? | ||
if [ $result -ne 0 ]; then | ||
echo "* Started EC2 metadata service at $(green http://169.254.169.254/latest)" | ||
aws-vault server & | ||
AWS_VAULT_ARGS+=("--server") | ||
else | ||
echo "* EC2 metadata server already running" | ||
fi | ||
fi | ||
fi | ||
} | ||
|
||
# Alias to start a shell or run a command with an assumed role | ||
function assume-role() { | ||
role=${1:-${AWS_DEFAULT_PROFILE}} | ||
PROMPT_HOOKS+=("aws_vault_prompt") | ||
function aws_vault_prompt() { | ||
if [ -z "${AWS_VAULT}" ]; then | ||
echo -e "-> Run '$(green assume-role)' to login to AWS with aws-vault" | ||
fi | ||
} | ||
|
||
# Do not allow nested roles | ||
if [ -n "${AWS_VAULT}" ]; then | ||
echo "Type '$(green exit)' before attempting to assume another role" | ||
return 1 | ||
fi | ||
# Start a shell or run a command with an assumed role | ||
function aws_vault_assume_role() { | ||
role=${1:-${AWS_DEFAULT_PROFILE}} | ||
|
||
if [ -z "${role}" ]; then | ||
echo "Usage: $0 [role]" | ||
return 1 | ||
fi | ||
# Sync the clock in the Docker Virtual Machine to the system's hardware clock to avoid time drift | ||
# (Only works in privileged mode) | ||
hwclock -s >/dev/null 2>&1 | ||
if [ $? -ne 0 ]; then | ||
echo "* $(yellow Failed to sync system time from hardware clock)" | ||
fi | ||
# Do not allow nested roles | ||
if [ -n "${AWS_VAULT}" ]; then | ||
echo "Type '$(green exit)' before attempting to assume another role" | ||
return 1 | ||
fi | ||
|
||
shift | ||
if [ $# -eq 0 ]; then | ||
aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- bash -l | ||
else | ||
aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- $* | ||
fi | ||
} | ||
if [ -z "${role}" ]; then | ||
echo "Usage: $0 [role]" | ||
return 1 | ||
fi | ||
# Sync the clock in the Docker Virtual Machine to the system's hardware clock to avoid time drift | ||
# (Only works in privileged mode) | ||
hwclock -s >/dev/null 2>&1 | ||
if [ $? -ne 0 ]; then | ||
echo "* $(yellow Failed to sync system time from hardware clock)" | ||
fi | ||
|
||
# Alias for backwards compatbility | ||
function use-profile() { | ||
assume-role $* | ||
} | ||
shift | ||
if [ $# -eq 0 ]; then | ||
aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- bash -l | ||
else | ||
aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- $* | ||
fi | ||
} | ||
|
||
function assume-role() { | ||
aws_vault_assume_role $* | ||
} | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
if [ -z "${AWS_VAULT}" ]; then | ||
if [ -z "${ASSUME_ROLE}" ]; then | ||
if [ -f "/etc/motd" ]; then | ||
cat "/etc/motd" | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,3 @@ | ||
if pidof syslog-ng >/dev/null; then | ||
echo "* syslog-ng is already running" | ||
else | ||
if ! pidof syslog-ng >/dev/null; then | ||
syslog-ng -f /etc/syslog-ng/syslog-ng.conf | ||
fi |