-
Notifications
You must be signed in to change notification settings - Fork 5
/
aks.sh
executable file
·328 lines (317 loc) · 8.38 KB
/
aks.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
#
# aks - AWS Key Switcher
#
# ATonns Fri Jun 1 15:47:00 EDT 2012
#
# Copyright 2012 Corsis
# http://www.corsis.com/
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
if [ -z "$AWS_DIR" ]
then
export AWS_DIR="$HOME/aws"
fi
AWS_ACCOUNT="(none)"
# script that sets up paths to AWS CLI tools
if [ -f $AWS_DIR/global.sh ]
then
source $AWS_DIR/global.sh
fi
# function to create all key files for authenticating with AWS
unset -f _aks_create_auth_info
_aks_create_auth_info()
{
_aks_process_auth_info create $*
}
# function to import all key files for authenticating with AWS
unset -f _aks_import_auth_info
_aks_import_auth_info()
{
_aks_process_auth_info import $*
}
# internal function to process all key info for authenticating with AWS
unset -f _aks_process_auth_info
_aks_process_auth_info()
{
# args
local AKS_OPER AWS_DIR AWS_ACCOUNT EC2_ID EC2_ACCESS EC2_SECRET
local EC2_PRIVATE_KEY EC2_CERT OLD_EC2_PRIVATE_KEY OLD_EC2_CERT
AKS_OPER=$1 && shift
AWS_DIR=$1 && shift
AWS_ACCOUNT=$1 && shift
EC2_ID=$1 && shift
EC2_ACCESS=$1 && shift
EC2_SECRET=$1 && shift
if [ "$AKS_OPER" = "import" ]
then
OLD_EC2_PRIVATE_KEY=$1 && shift
OLD_EC2_CERT=$1 && shift
fi
EC2_PRIVATE_KEY="pk-$AWS_ACCOUNT.pem"
EC2_CERT="cert-$AWS_ACCOUNT.pem"
# per-account directory
mkdir -pm 0700 $AWS_DIR/auth/$AWS_ACCOUNT
pushd $AWS_DIR/auth/$AWS_ACCOUNT > /dev/null
# signing cert
if [ "$AKS_OPER" = "create" ]
then
# signing certificate
SUBJ="/C=''/ST=''/L=''/O=''/OU=''/CN='$AWS_ACCOUNT'"
# create a 2048 bit key
openssl genrsa -out pk-$AWS_ACCOUNT-rsa.pem 2048 2> /dev/null
# convert to pkcs8 format for amazon
openssl pkcs8 -topk8 -in pk-$AWS_ACCOUNT-rsa.pem -nocrypt > $EC2_PRIVATE_KEY
# ~10 year expiration
openssl req -new -subj $SUBJ -x509 -key pk-$AWS_ACCOUNT-rsa.pem -out $EC2_CERT -days 3650
# remove old rsa key
rm -f pk-$AWS_ACCOUNT-rsa.pem
elif [ "$AKS_OPER" = "import" ]
then
cp -p $OLD_EC2_PRIVATE_KEY $EC2_PRIVATE_KEY
cp -p $OLD_EC2_CERT $EC2_CERT
fi
chmod 400 $EC2_PRIVATE_KEY
chmod 400 $EC2_CERT
# cred file
(
echo "AWSAccessKeyId=$EC2_ACCESS"
echo "AWSSecretKey=$EC2_SECRET"
) > $AWS_ACCOUNT.cred
chmod 400 $AWS_ACCOUNT.cred
# s3cfg file
(
echo "access_key = $EC2_ACCESS"
echo "secret_key = $EC2_SECRET"
) > $AWS_ACCOUNT.s3cfg
chmod 600 $AWS_ACCOUNT.s3cfg
# .s3curl file
cat > .s3curl << EOF
%awsSecretAccessKeys = (
$AWS_ACCOUNT => {
id => '$EC2_ACCESS',
key => '$EC2_SECRET',
},
);
EOF
chmod 600 .s3curl
ln -s ../../tools/s3-curl/s3curl.pl
# env file
(
echo "export EC2_ID=$EC2_ID";
echo "export EC2_ACCESS=$EC2_ACCESS";
echo "export EC2_SECRET=$EC2_SECRET";
echo "export EC2_PRIVATE_KEY=\$AWS_DIR/auth/$AWS_ACCOUNT/pk-$AWS_ACCOUNT.pem";
echo "export EC2_CERT=\$AWS_DIR/auth/$AWS_ACCOUNT/cert-$AWS_ACCOUNT.pem";
echo "export AWS_CREDENTIAL_FILE=\$AWS_DIR/auth/$AWS_ACCOUNT/$AWS_ACCOUNT.cred"
echo "alias s3cmd='s3cmd --config=\$AWS_DIR/auth/$AWS_ACCOUNT/$AWS_ACCOUNT.s3cfg'"
echo "export EC2_ACCESS_KEY=$EC2_ACCESS";
echo "export EC2_SECRET_KEY=$EC2_SECRET";
echo "export AWS_ACCESS_KEY_ID=$EC2_ACCESS";
echo "export AWS_ACCESS_SECRET_KEY=$EC2_SECRET";
echo "export AWS_SECRET_ACCESS_KEY=$EC2_SECRET";
echo "export AWS_DEFAULT_REGION=us-east-1";
echo "alias s3curl.pl='$AWS_DIR/auth/$AWS_ACCOUNT/s3curl.pl --id=$AWS_ACCOUNT'";
) > $AWS_ACCOUNT-env.sh
chmod 500 $AWS_ACCOUNT-env.sh
popd > /dev/null
}
unset -f aks
aks()
{
case "$1" in
create)
TARGET_AWS_ACCOUNT="$2"
if [ "$TARGET_AWS_ACCOUNT" = "" ]
then
echo "error, must provide account name to create"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ -d "$AWS_DIR/auth/$TARGET_AWS_ACCOUNT" ]
then
echo "error, account '$TARGET_AWS_ACCOUNT' already exists"
unset TARGET_AWS_ACCOUNT
return 1
fi
echo "new account will be '$TARGET_AWS_ACCOUNT'"
TARGET_EC2_ID=""
while [ -z $TARGET_EC2_ID ]
do
echo "enter EC2 account id [5th field of IAM User ARN]:"
read TARGET_EC2_ID
# ToDo - add error checking here
done
TARGET_EC2_ACCESS=""
while [ -z $TARGET_EC2_ACCESS ]
do
echo "enter EC2 access key:"
read TARGET_EC2_ACCESS
# ToDo - add error checking here
done
TARGET_EC2_SECRET=""
while [ -z $TARGET_EC2_SECRET ]
do
echo "enter EC2 secret key:"
read TARGET_EC2_SECRET
# ToDo - add error checking here
done
EC2_ID="$TARGET_EC2_ID"
EC2_ACCESS="$TARGET_EC2_ACCESS"
EC2_SECRET="$TARGET_EC2_SECRET"
AWS_ACCOUNT="$TARGET_AWS_ACCOUNT"
_aks_create_auth_info $AWS_DIR $AWS_ACCOUNT $EC2_ID $EC2_ACCESS $EC2_SECRET
echo "your new singing certificate [copy/paste into IAM Signing Certificates]:"
cat $AWS_DIR/auth/$AWS_ACCOUNT/cert-$AWS_ACCOUNT.pem
aks use $AWS_ACCOUNT
unset TARGET_AWS_ACCOUNT
return 0
;;
id)
if [ "$AWS_ACCOUNT" != "(none)" ]
then
echo "current account is '$AWS_ACCOUNT'"
return 0
else
echo "no current account"
return 1
fi
;;
import)
TARGET_AWS_ACCOUNT="$2"
if [ "$TARGET_AWS_ACCOUNT" = "" ]
then
echo "error, must provide account name to import"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ -d "$AWS_DIR/auth/$TARGET_AWS_ACCOUNT" ]
then
echo "error, account '$TARGET_AWS_ACCOUNT' already exists"
unset TARGET_AWS_ACCOUNT
return 1
fi
echo "imported account will be '$TARGET_AWS_ACCOUNT'"
if [ "$EC2_ID" = "" ]
then
echo "error, environment varible EC2_ID is missing"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ "$EC2_ACCESS" = "" ]
then
echo "error, environment varible EC2_ACCESS is missing"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ "$EC2_SECRET" = "" ]
then
echo "error, environment varible EC2_SECRET is missing"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ "$EC2_PRIVATE_KEY" = "" ]
then
echo "error, environment varible EC2_PRIVATE_KEY is missing"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ "$EC2_CERT" = "" ]
then
echo "error, environment varible EC2_CERT is missing"
unset TARGET_AWS_ACCOUNT
return 1
fi
AWS_ACCOUNT="$TARGET_AWS_ACCOUNT"
_aks_import_auth_info $AWS_DIR $AWS_ACCOUNT $EC2_ID $EC2_ACCESS $EC2_SECRET $EC2_PRIVATE_KEY $EC2_CERT
echo "imported info for account '$AWS_ACCOUNT'"
aks use $AWS_ACCOUNT
unset TARGET_AWS_ACCOUNT
return 0
;;
list)
echo "current available accounts are:"
ls -1 $AWS_DIR/auth
return 0
;;
use)
TARGET_AWS_ACCOUNT="$2"
if [ "$TARGET_AWS_ACCOUNT" = "" ]
then
echo "error, must provide account name to use. account not switched"
unset TARGET_AWS_ACCOUNT
return 1
fi
if [ -f "$AWS_DIR/auth/$TARGET_AWS_ACCOUNT/$TARGET_AWS_ACCOUNT-env.sh" ]
then
AWS_ACCOUNT="$TARGET_AWS_ACCOUNT"
source $AWS_DIR/auth/$AWS_ACCOUNT/$AWS_ACCOUNT-env.sh
echo "switched to account '$AWS_ACCOUNT'"
unset TARGET_AWS_ACCOUNT
return 0
else
echo "error, can't find '$AWS_DIR/auth/$TARGET_AWS_ACCOUNT/$TARGET_AWS_ACCOUNT-env.sh'"
unset TARGET_AWS_ACCOUNT
return 1
fi
;;
*)
echo "unknown arg: '$1'"
echo "usage:"
echo " aks create [newaccountname]"
echo " aks id"
echo " aks import [newaccountname]"
echo " aks list"
echo " aks use [accountname]"
return 1
;;
esac
}
unset -f _aks_complete
_aks_complete()
{
local CURRENT PREVIOUS OPTIONS
COMPREPLY=()
CURRENT="${COMP_WORDS[COMP_CWORD]}"
PREVIOUS="${COMP_WORDS[COMP_CWORD-1]}"
OPTIONS="create id import list use"
# each subdir is a 'known' account
local ACCOUNTS=$(ls -1 $AWS_DIR/auth)
case "${PREVIOUS}" in
create)
# no args
COMPREPLY=()
return 0
;;
id)
# no args
COMPREPLY=()
return 0
;;
list)
# no args
COMPREPLY=()
return 0
;;
use)
COMPREPLY=( $(compgen -W "${ACCOUNTS}" -- ${CURRENT}) )
return 0
;;
*)
;;
esac
# if there's no previous arg, present available options
COMPREPLY=($(compgen -W "${OPTIONS}" -- ${CURRENT}))
return 0
}
complete -F _aks_complete aks