diff --git a/README.md b/README.md index 0aed8a3..d8e37ff 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,13 @@ This solution will use the following mapping for those special characters when c So instead of `name@email.com` you will need to use `name.at.email.com` when login via SSH. + +Optionally, set `STRIP_EMAILS_FROM_USERNAME=1` in the config file, in which case `user.name@email.com` will become simply `user.name`. + +Note that to reverse-engineer the remainder of the username, we look up the IAM users via the cli. This means usernames must be unique, exclusive of the email domain. +E.g. `my.user@email.com` and `my.user@anotherEmail.com` will not be differentiated and will not be able to use this method. + + Linux user names may only be up to 32 characters long. ## Configuration diff --git a/authorized_keys_command.sh b/authorized_keys_command.sh index 7763507..84fa7d2 100755 --- a/authorized_keys_command.sh +++ b/authorized_keys_command.sh @@ -33,12 +33,34 @@ then export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN fi -UnsaveUserName="$1" -UnsaveUserName=${UnsaveUserName//".plus."/"+"} -UnsaveUserName=${UnsaveUserName//".equal."/"="} -UnsaveUserName=${UnsaveUserName//".comma."/","} -UnsaveUserName=${UnsaveUserName//".at."/"@"} - -aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read -r KeyId; do - aws iam get-ssh-public-key --user-name "$UnsaveUserName" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text -done +raw_username="$1" +raw_username=${raw_username//".plus."/"+"} +raw_username=${raw_username//".equal."/"="} +raw_username=${raw_username//".comma."/","} + +if [ "${STRIP_EMAILS_FROM_USERNAME}" -eq 1 ]; then + list_users=$(aws iam list-users --max-items 50 --output text) + token=$(echo "$list_users" | grep ^NEXTTOKEN| awk '{print $2}') + all_users=$(echo "$list_users" | grep ^USERS | awk '{print $2}' | cut -d"/" -f2) + + while [ -n "$token" ]; do + list_users=$(aws iam list-users --max-items 50 --starting-token $token --output text) + token=$(echo "$list_users" | grep ^NEXTTOKEN| awk '{print $2}') + new_users=$(echo "$list_users" | grep ^USERS | awk '{print $2}' | cut -d"/" -f2) + all_users="${all_users}"$'\n'"${new_users}" + done + + iam_username=$(echo "$all_users" | fgrep "$raw_username@") + + if [ $(echo "${iam_username}" | wc -w) -gt 1 ]; then + echo "Multiple IAM users matched: - exiting!" + echo "${iam_username}" + exit 2 + fi +else + iam_username=${raw_username//".at."/"@"} +fi + +aws iam list-ssh-public-keys --user-name "${iam_username}" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text | while read -r KeyId; do + aws iam get-ssh-public-key --user-name "${iam_username}" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text +done \ No newline at end of file diff --git a/import_users.sh b/import_users.sh index 8efda08..4dd8a18 100755 --- a/import_users.sh +++ b/import_users.sh @@ -220,7 +220,11 @@ function clean_iam_username() { clean_username=${clean_username//"+"/".plus."} clean_username=${clean_username//"="/".equal."} clean_username=${clean_username//","/".comma."} - clean_username=${clean_username//"@"/".at."} + if [ "${STRIP_EMAILS_FROM_USERNAME}" -eq 1 ]; then + clean_username=${clean_username%%@*} + else + clean_username=${clean_username//"@"/".at."} + fi echo "${clean_username}" } @@ -234,9 +238,6 @@ function sync_accounts() { # Check if local marker group exists, if not, create it /usr/bin/getent group "${LOCAL_MARKER_GROUP}" >/dev/null 2>&1 || /usr/sbin/groupadd "${LOCAL_MARKER_GROUP}" - # setup the aws credentials if needed - setup_aws_credentials - # declare and set some variables local iam_users local sudo_users @@ -249,6 +250,9 @@ function sync_accounts() { get_iam_groups_from_tag get_sudoers_groups_from_tag + # setup the aws credentials if needed + setup_aws_credentials + iam_users=$(get_clean_iam_users | sort | uniq) sudo_users=$(get_clean_sudoers_users | sort | uniq) local_users=$(get_local_users | sort | uniq)