Обновление ohmyzsh
This commit is contained in:
@@ -15,6 +15,13 @@ plugins=(... aws)
|
||||
It also sets `$AWS_EB_PROFILE` to `<profile>` for the Elastic Beanstalk CLI.
|
||||
Run `asp` without arguments to clear the profile.
|
||||
|
||||
* `acp [<profile>]`: in addition to `asp` functionality, it actually changes the profile by
|
||||
assuming the role specified in the `<profile>` configuration. It supports MFA and sets
|
||||
`$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN`, if obtained. It
|
||||
requires the roles to be configured as per the
|
||||
[official guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
|
||||
Run `acp` without arguments to clear the profile.
|
||||
|
||||
* `agp`: gets the current value of `$AWS_PROFILE`.
|
||||
|
||||
* `aws_change_access_key`: changes the AWS access key of a profile.
|
||||
@@ -33,6 +40,36 @@ plugins=(... aws)
|
||||
The plugin creates an `aws_prompt_info` function that you can use in your theme, which displays
|
||||
the current `$AWS_PROFILE`. It uses two variables to control how that is shown:
|
||||
|
||||
- ZSH_THEME_AWS_PREFIX: sets the prefix of the AWS_PROFILE. Defaults to `<aws:`.
|
||||
* ZSH_THEME_AWS_PREFIX: sets the prefix of the AWS_PROFILE. Defaults to `<aws:`.
|
||||
|
||||
- ZSH_THEME_AWS_SUFFIX: sets the suffix of the AWS_PROFILE. Defaults to `>`.
|
||||
* ZSH_THEME_AWS_SUFFIX: sets the suffix of the AWS_PROFILE. Defaults to `>`.
|
||||
|
||||
## Configuration
|
||||
|
||||
[Configuration and credential file settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) by AWS
|
||||
|
||||
### Scenario: IAM roles with a source profile and MFA authentication
|
||||
|
||||
Source profile credentials in `~/.aws/credentials`:
|
||||
|
||||
```
|
||||
[source-profile-name]
|
||||
aws_access_key_id = ...
|
||||
aws_secret_access_key = ...
|
||||
```
|
||||
|
||||
Role configuration in `~/.aws/config`:
|
||||
|
||||
```
|
||||
[profile source-profile-name]
|
||||
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
|
||||
region = us-east-1
|
||||
output = json
|
||||
|
||||
[profile profile-with-role]
|
||||
role_arn = arn:aws:iam::9999999999999:role/myrole
|
||||
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
|
||||
source_profile = source-profile-name
|
||||
region = us-east-1
|
||||
output = json
|
||||
```
|
||||
|
||||
@@ -10,7 +10,8 @@ function asp() {
|
||||
return
|
||||
fi
|
||||
|
||||
local available_profiles=($(aws_profiles))
|
||||
local -a available_profiles
|
||||
available_profiles=($(aws_profiles))
|
||||
if [[ -z "${available_profiles[(r)$1]}" ]]; then
|
||||
echo "${fg[red]}Profile '$1' not found in '${AWS_CONFIG_FILE:-$HOME/.aws/config}'" >&2
|
||||
echo "Available profiles: ${(j:, :)available_profiles:-no profiles found}${reset_color}" >&2
|
||||
@@ -22,31 +23,131 @@ function asp() {
|
||||
export AWS_EB_PROFILE=$1
|
||||
}
|
||||
|
||||
# AWS profile switch
|
||||
function acp() {
|
||||
if [[ -z "$1" ]]; then
|
||||
unset AWS_DEFAULT_PROFILE AWS_PROFILE AWS_EB_PROFILE
|
||||
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
|
||||
echo AWS profile cleared.
|
||||
return
|
||||
fi
|
||||
|
||||
local -a available_profiles
|
||||
available_profiles=($(aws_profiles))
|
||||
if [[ -z "${available_profiles[(r)$1]}" ]]; then
|
||||
echo "${fg[red]}Profile '$1' not found in '${AWS_CONFIG_FILE:-$HOME/.aws/config}'" >&2
|
||||
echo "Available profiles: ${(j:, :)available_profiles:-no profiles found}${reset_color}" >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
local profile="$1"
|
||||
|
||||
# Get fallback credentials for if the aws command fails or no command is run
|
||||
local aws_access_key_id="$(aws configure get aws_access_key_id --profile $profile)"
|
||||
local aws_secret_access_key="$(aws configure get aws_secret_access_key --profile $profile)"
|
||||
local aws_session_token="$(aws configure get aws_session_token --profile $profile)"
|
||||
|
||||
|
||||
# First, if the profile has MFA configured, lets get the token and session duration
|
||||
local mfa_serial="$(aws configure get mfa_serial --profile $profile)"
|
||||
local sess_duration="$(aws configure get duration_seconds --profile $profile)"
|
||||
|
||||
if [[ -n "$mfa_serial" ]]; then
|
||||
local -a mfa_opt
|
||||
local mfa_token
|
||||
echo -n "Please enter your MFA token for $mfa_serial: "
|
||||
read -r mfa_token
|
||||
if [[ -z "$sess_duration" ]]; then
|
||||
echo -n "Please enter the session duration in seconds (900-43200; default: 3600, which is the default maximum for a role): "
|
||||
read -r sess_duration
|
||||
fi
|
||||
mfa_opt=(--serial-number "$mfa_serial" --token-code "$mfa_token" --duration-seconds "${sess_duration:-3600}")
|
||||
|
||||
# Now see whether we need to just MFA for the current role, or assume a different one
|
||||
local role_arn="$(aws configure get role_arn --profile $profile)"
|
||||
local sess_name="$(aws configure get role_session_name --profile $profile)"
|
||||
|
||||
if [[ -n "$role_arn" ]]; then
|
||||
# Means we need to assume a specified role
|
||||
aws_command=(aws sts assume-role --role-arn "$role_arn" "${mfa_opt[@]}")
|
||||
|
||||
# Check whether external_id is configured to use while assuming the role
|
||||
local external_id="$(aws configure get external_id --profile $profile)"
|
||||
if [[ -n "$external_id" ]]; then
|
||||
aws_command+=(--external-id "$external_id")
|
||||
fi
|
||||
|
||||
# Get source profile to use to assume role
|
||||
local source_profile="$(aws configure get source_profile --profile $profile)"
|
||||
if [[ -z "$sess_name" ]]; then
|
||||
sess_name="${source_profile:-profile}"
|
||||
fi
|
||||
aws_command+=(--profile="${source_profile:-profile}" --role-session-name "${sess_name}")
|
||||
|
||||
echo "Assuming role $role_arn using profile ${source_profile:-profile}"
|
||||
else
|
||||
# Means we only need to do MFA
|
||||
aws_command=(aws sts get-session-token --profile="$profile" "${mfa_opt[@]}")
|
||||
echo "Obtaining session token for profile $profile"
|
||||
fi
|
||||
|
||||
# Format output of aws command for easier processing
|
||||
aws_command+=(--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text)
|
||||
|
||||
# Run the aws command to obtain credentials
|
||||
local -a credentials
|
||||
credentials=(${(ps:\t:)"$(${aws_command[@]})"})
|
||||
|
||||
if [[ -n "$credentials" ]]; then
|
||||
aws_access_key_id="${credentials[1]}"
|
||||
aws_secret_access_key="${credentials[2]}"
|
||||
aws_session_token="${credentials[3]}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Switch to AWS profile
|
||||
if [[ -n "${aws_access_key_id}" && -n "$aws_secret_access_key" ]]; then
|
||||
export AWS_DEFAULT_PROFILE="$profile"
|
||||
export AWS_PROFILE="$profile"
|
||||
export AWS_EB_PROFILE="$profile"
|
||||
export AWS_ACCESS_KEY_ID="$aws_access_key_id"
|
||||
export AWS_SECRET_ACCESS_KEY="$aws_secret_access_key"
|
||||
|
||||
if [[ -n "$aws_session_token" ]]; then
|
||||
export AWS_SESSION_TOKEN="$aws_session_token"
|
||||
else
|
||||
unset AWS_SESSION_TOKEN
|
||||
fi
|
||||
|
||||
echo "Switched to AWS Profile: $profile"
|
||||
fi
|
||||
}
|
||||
|
||||
function aws_change_access_key() {
|
||||
if [[ -z "$1" ]]; then
|
||||
echo "usage: $0 <profile>"
|
||||
return 1
|
||||
fi
|
||||
|
||||
echo Insert the credentials when asked.
|
||||
echo "Insert the credentials when asked."
|
||||
asp "$1" || return 1
|
||||
aws iam create-access-key
|
||||
aws configure --profile "$1"
|
||||
AWS_PAGER="" aws iam create-access-key
|
||||
AWS_PAGER="" aws configure --profile "$1"
|
||||
|
||||
echo You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\`
|
||||
echo Your current keys are:
|
||||
aws iam list-access-keys
|
||||
echo "You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\`"
|
||||
echo "Your current keys are:"
|
||||
AWS_PAGER="" aws iam list-access-keys
|
||||
}
|
||||
|
||||
function aws_profiles() {
|
||||
[[ -r "${AWS_CONFIG_FILE:-$HOME/.aws/config}" ]] || return 1
|
||||
grep '\[profile' "${AWS_CONFIG_FILE:-$HOME/.aws/config}"|sed -e 's/.*profile \([a-zA-Z0-9_\.-]*\).*/\1/'
|
||||
grep --color=never -Eo '\[.*\]' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" | sed -E 's/^[[:space:]]*\[(profile)?[[:space:]]*([-_[:alnum:]\.@]+)\][[:space:]]*$/\2/g'
|
||||
}
|
||||
|
||||
function _aws_profiles() {
|
||||
reply=($(aws_profiles))
|
||||
}
|
||||
compctl -K _aws_profiles asp aws_change_access_key
|
||||
compctl -K _aws_profiles asp acp aws_change_access_key
|
||||
|
||||
# AWS prompt
|
||||
function aws_prompt_info() {
|
||||
@@ -54,43 +155,52 @@ function aws_prompt_info() {
|
||||
echo "${ZSH_THEME_AWS_PREFIX:=<aws:}${AWS_PROFILE}${ZSH_THEME_AWS_SUFFIX:=>}"
|
||||
}
|
||||
|
||||
if [ "$SHOW_AWS_PROMPT" != false ]; then
|
||||
if [[ "$SHOW_AWS_PROMPT" != false && "$RPROMPT" != *'$(aws_prompt_info)'* ]]; then
|
||||
RPROMPT='$(aws_prompt_info)'"$RPROMPT"
|
||||
fi
|
||||
|
||||
|
||||
# Load awscli completions
|
||||
|
||||
function _awscli-homebrew-installed() {
|
||||
# check if Homebrew is installed
|
||||
(( $+commands[brew] )) || return 1
|
||||
# AWS CLI v2 comes with its own autocompletion. Check if that is there, otherwise fall back
|
||||
if command -v aws_completer &> /dev/null; then
|
||||
autoload -Uz bashcompinit && bashcompinit
|
||||
complete -C aws_completer aws
|
||||
else
|
||||
function _awscli-homebrew-installed() {
|
||||
# check if Homebrew is installed
|
||||
(( $+commands[brew] )) || return 1
|
||||
|
||||
# speculatively check default brew prefix
|
||||
if [ -h /usr/local/opt/awscli ]; then
|
||||
_brew_prefix=/usr/local/opt/awscli
|
||||
else
|
||||
# ok, it is not in the default prefix
|
||||
# this call to brew is expensive (about 400 ms), so at least let's make it only once
|
||||
_brew_prefix=$(brew --prefix awscli)
|
||||
# speculatively check default brew prefix
|
||||
if [ -h /usr/local/opt/awscli ]; then
|
||||
_brew_prefix=/usr/local/opt/awscli
|
||||
else
|
||||
# ok, it is not in the default prefix
|
||||
# this call to brew is expensive (about 400 ms), so at least let's make it only once
|
||||
_brew_prefix=$(brew --prefix awscli)
|
||||
fi
|
||||
}
|
||||
|
||||
# get aws_zsh_completer.sh location from $PATH
|
||||
_aws_zsh_completer_path="$commands[aws_zsh_completer.sh]"
|
||||
|
||||
# otherwise check common locations
|
||||
if [[ -z $_aws_zsh_completer_path ]]; then
|
||||
# Homebrew
|
||||
if _awscli-homebrew-installed; then
|
||||
_aws_zsh_completer_path=$_brew_prefix/libexec/bin/aws_zsh_completer.sh
|
||||
# Ubuntu
|
||||
elif [[ -e /usr/share/zsh/vendor-completions/_awscli ]]; then
|
||||
_aws_zsh_completer_path=/usr/share/zsh/vendor-completions/_awscli
|
||||
# NixOS
|
||||
elif [[ -e "${commands[aws]:P:h:h}/share/zsh/site-functions/aws_zsh_completer.sh" ]]; then
|
||||
_aws_zsh_completer_path="${commands[aws]:P:h:h}/share/zsh/site-functions/aws_zsh_completer.sh"
|
||||
# RPM
|
||||
else
|
||||
_aws_zsh_completer_path=/usr/share/zsh/site-functions/aws_zsh_completer.sh
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# get aws_zsh_completer.sh location from $PATH
|
||||
_aws_zsh_completer_path="$commands[aws_zsh_completer.sh]"
|
||||
|
||||
# otherwise check common locations
|
||||
if [[ -z $_aws_zsh_completer_path ]]; then
|
||||
# Homebrew
|
||||
if _awscli-homebrew-installed; then
|
||||
_aws_zsh_completer_path=$_brew_prefix/libexec/bin/aws_zsh_completer.sh
|
||||
# Ubuntu
|
||||
elif [[ -e /usr/share/zsh/vendor-completions/_awscli ]]; then
|
||||
_aws_zsh_completer_path=/usr/share/zsh/vendor-completions/_awscli
|
||||
# RPM
|
||||
else
|
||||
_aws_zsh_completer_path=/usr/share/zsh/site-functions/aws_zsh_completer.sh
|
||||
fi
|
||||
[[ -r $_aws_zsh_completer_path ]] && source $_aws_zsh_completer_path
|
||||
unset _aws_zsh_completer_path _brew_prefix
|
||||
fi
|
||||
|
||||
[[ -r $_aws_zsh_completer_path ]] && source $_aws_zsh_completer_path
|
||||
unset _aws_zsh_completer_path _brew_prefix
|
||||
|
||||
Reference in New Issue
Block a user