Fetch MFA Creds

fetch_mfa_creds.sh

#!/usr/bin/env bash
# =============================================================================
# fetch_aws_mfa_creds.sh
# Fetches temporary AWS session credentials using an MFA token and stores
# them under a dedicated [mfa] profile in ~/.aws/credentials.
#
# Usage:
#   ./fetch_aws_mfa_creds.sh <6-digit MFA token>
#
# Prerequisites:
#   - AWS CLI v2  (https://aws.amazon.com/cli/)
#   - jq          (https://stedolan.github.io/jq/)
#   - A [default] profile already configured via `aws configure`
#   - MFA device enabled on your AWS account
# =============================================================================

set -euo pipefail

# ---------------------------------------------------------------------------
# Configuration — update AWS_MFA_CONFIG with your MFA device ARN
# e.g. arn:aws:iam::123456789012:mfa/your.username
# ---------------------------------------------------------------------------
AWS_SRC_PROFILE="default"
AWS_DEST_PROFILE="mfa"
AWS_MFA_CONFIG="<arn-of-your-mfa-device>"   # ← replace this value
SESSION_DURATION=129600                      # 36 hours (max for IAM users)

# ---------------------------------------------------------------------------
# Input validation
# ---------------------------------------------------------------------------
if [[ $# -ne 1 ]]; then
  echo "Usage: $0 <MFA token code>"
  echo "Example: $0 123456"
  exit 1
fi

AWS_MFA_TOKEN="$1"

if [[ ! "$AWS_MFA_TOKEN" =~ ^[0-9]{6}$ ]]; then
  echo "Error: MFA token must be exactly 6 digits (got: '$AWS_MFA_TOKEN')"
  exit 1
fi

if [[ "$AWS_MFA_CONFIG" == "<arn-of-your-mfa-device>" ]]; then
  echo "Error: Please update AWS_MFA_CONFIG in this script with your MFA device ARN."
  exit 1
fi

# ---------------------------------------------------------------------------
# Dependency check
# ---------------------------------------------------------------------------
for cmd in aws jq; do
  if ! command -v "$cmd" &>/dev/null; then
    echo "Error: '$cmd' is not installed or not on PATH."
    exit 1
  fi
done

# ---------------------------------------------------------------------------
# Request temporary credentials from STS
# ---------------------------------------------------------------------------
echo "Requesting session token from AWS STS..."

CREDS_JSON=$(aws --profile "${AWS_SRC_PROFILE}" sts get-session-token \
  --duration-seconds "${SESSION_DURATION}" \
  --serial-number    "${AWS_MFA_CONFIG}" \
  --token-code       "${AWS_MFA_TOKEN}")

# Parse credential fields
TMP_ACCESS_KEY_ID=$(echo "$CREDS_JSON"     | jq -r '.Credentials.AccessKeyId')
TMP_SECRET_ACCESS_KEY=$(echo "$CREDS_JSON" | jq -r '.Credentials.SecretAccessKey')
TMP_SESSION_TOKEN=$(echo "$CREDS_JSON"     | jq -r '.Credentials.SessionToken')
EXPIRATION=$(echo "$CREDS_JSON"            | jq -r '.Credentials.Expiration')

# ---------------------------------------------------------------------------
# Write credentials to the [mfa] profile
# ---------------------------------------------------------------------------
echo "Writing credentials to AWS profile: [${AWS_DEST_PROFILE}]..."

aws configure set aws_access_key_id     "${TMP_ACCESS_KEY_ID}"     --profile "${AWS_DEST_PROFILE}"
aws configure set aws_secret_access_key "${TMP_SECRET_ACCESS_KEY}" --profile "${AWS_DEST_PROFILE}"
aws configure set aws_session_token     "${TMP_SESSION_TOKEN}"     --profile "${AWS_DEST_PROFILE}"

echo "✅ Credentials written. They expire at: ${EXPIRATION}"
echo ""

# ---------------------------------------------------------------------------
# Smoke test — list S3 buckets to confirm credentials are working
# Remove or comment out the lines below if not needed
# ---------------------------------------------------------------------------
echo "Running smoke test (aws s3 ls --profile ${AWS_DEST_PROFILE})..."
aws s3 ls --profile "${AWS_DEST_PROFILE}" && \
  echo "✅ Smoke test passed." || \
  echo "⚠️  Smoke test failed — credentials were saved but S3 list returned an error."