aws-mfa-token-helper/aws-auth.js at master · purecloudlabs/aws-mfa-token-helper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env node
'use strict';

var AWS = require('aws-sdk');
var cp = require('child_process');
var fs = require('fs');
var ini = require('ini');
var path = require('path');
var bluebird = require('bluebird');
var promisify = bluebird.promisify;
var prompt = require('prompt');

var CREDENTIALS_FILE = path.join(process.env.HOME, '.aws/credentials');
var MFA_ID_FILE = path.join(process.env.HOME, '.aws/mfa_id');
var TOKEN_LIFETIME_SECONDS = 129600; //36hr

var credentialConfig = ini.parse(fs.readFileSync(CREDENTIALS_FILE, 'utf-8'));

/* Do the things */
authenticateAws()
    .then(runCommandArgs);


function authenticateAws() {
    console.log('Checking cached credentials...');
    if (credentialsExpired()) {
        return promptMfaToken()
                .then(getCredentials)
                .then(storeCredentials)
                .then(function () {
                    console.log('Credentials Updated.');
                });

    } else {
        console.log('Credentials are still good.');
        return bluebird.resolve();
    }
}

function credentialsExpired() {
    var expiration = credentialConfig.default && credentialConfig.default.expiration;
    if (!expiration) {
        console.log('No credentials found');
        return true;
    } else if (new Date(expiration) < new Date()) {
        console.log('Credentials expired on ' + expiration);
        return true;
    } else {
       return false;
    }
}

function getCredentials(mfaKey) {
    AWS.config.credentials = new AWS.SharedIniFileCredentials({
        profile: 'master'
    });
    var sts = new AWS.STS();
    var mfaIdentifier = loadMfaIdentifier();
    return promisify(sts.getSessionToken.bind(sts))({
        DurationSeconds: TOKEN_LIFETIME_SECONDS,
        SerialNumber: mfaIdentifier,
        TokenCode: mfaKey,
    }).then(function (response) {
        return response.Credentials;
    });
}

function loadMfaIdentifier() {
    return fs.readFileSync(MFA_ID_FILE, 'utf-8').trim();
}

function promptMfaToken() {
    prompt.start();
    return promisify(prompt.get)('AWS MFA token')
        .then(function(result) {
            return result['AWS MFA token'];
        });
}

function runCommandArgs() {
    var cmd = process.argv.slice(2);
    if (cmd.length > 0) {
        cp.spawnSync(process.argv[2], process.argv.slice(3), {
            stdio: [0, 0, 0]
        });
    }
}

function storeCredentials(credentials) {
    credentialConfig.default = {};
    credentialConfig.default.aws_access_key_id = credentials.AccessKeyId;
    credentialConfig.default.aws_secret_access_key = credentials.SecretAccessKey;
    credentialConfig.default.aws_session_token = credentials.SessionToken;
    credentialConfig.default.expiration = credentials.Expiration.toString();
    fs.writeFileSync(CREDENTIALS_FILE, ini.stringify(credentialConfig));
    return credentials;
}