-
Notifications
You must be signed in to change notification settings - Fork 8
/
entrypoint.sh
executable file
·75 lines (65 loc) · 2.83 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env bash
set -u
set -o pipefail
awsDir="${HOME}/.aws"
config="$(mktemp)"
credentials="${awsDir}/credentials"
# Delete the temporary file when this script finishes running, is interrupted, or exits abnormally
trap "rm -f $config" 0 2 3 15
mkdir -p "${awsDir}"
echo -e "[profile default]\noutput = json" >"$config"
# Attempt to get aws credentials via tokendito
max_attempts=10
totp_time=30
totp_error='Each code can only be used once. Please wait for a new code and try again.'
# can happen if the same token is used more than once (2 or more workflows requesting it around same time)
mfa_token_error=$'KeyError: \'sessionToken\''
for ((attempts = 1; attempts <= $max_attempts; attempts++)); do
echo "Requesting AWS credentials via Tokendito."
t_error=$(tokendito --config-file $config --aws-profile default -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD --mfa-method ${INPUT_OKTA_MFA_METHOD:=token:software:totp} --mfa-response $(echo $INPUT_OKTA_MFA_SEED | mintotp ${totp_time}) 2>&1 1>/dev/null)
if [[ $? == 0 ]]; then
echo "Succeeded getting credentials in attempt #${attempts}."
break
fi
if [[ $t_error == *$totp_error* || $t_error == *$mfa_token_error* ]]; then
echo "Attempt #${attempts} => ERROR: ${t_error}"
echo -e "\n\nWaiting ${totp_time} seconds before retrying...\n"
sleep $totp_time
else
echo $t_error
exit 1
fi
done
if [[ $attempts == $((max_attempts + 1)) ]]; then
echo "Giving up requesting credentials after ${max_attempts} attempts."
exit 1
fi
# Exit immediately if a command exits with a non-zero status.
set -e
# Read credentials
section=
while read -r line; do
# Get section we are currently in
if [[ "${line}" =~ ^[[:space:]]*\[[-_.a-zA-Z0-9]+\][[:space:]]*$ ]]; then
section="${line%]}"
section="${section#[}"
fi
# Extract available aws export values
if [ "${section}" = "default" ]; then
if [[ "${line}" =~ ^[[:space:]]*aws_access_key_id[[:space:]]*=.*$ ]]; then
aws_access_key_id="${line##*=*[[:space:]]}"
echo "AWS_ACCESS_KEY_ID=${aws_access_key_id}" >>$GITHUB_ENV
echo "::add-mask::${aws_access_key_id}"
fi
if [[ "${line}" =~ ^[[:space:]]*aws_secret_access_key[[:space:]]*=.*$ ]]; then
aws_secret_access_key="${line##*=*[[:space:]]}"
echo "AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}" >>$GITHUB_ENV
echo "::add-mask::${aws_secret_access_key}"
fi
if [[ "${line}" =~ ^[[:space:]]*aws_session_token[[:space:]]*=.*$ ]]; then
aws_session_token="${line##*=*[[:space:]]}"
echo "AWS_SESSION_TOKEN=${aws_session_token}" >>$GITHUB_ENV
echo "::add-mask::${aws_session_token}"
fi
fi
done <"$credentials"