rantoniuk/YubiKey hints

## aws-assume-role-yubikey.sh
MFA_ARN="XXX"
ASSUMED_ROLE="XXX"

set -e
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
unset AWS_PROFILE

OTP=$(ykman oath code aws -s)
credentials=$(aws sts assume-role --role-arn $ASSUMED_ROLE --role-session-name $USER-session --query 'Credentials' --serial-number $MFA_ARN --token-code $OTP)

export AWS_ACCESS_KEY_ID=$(echo $credentials | jq --raw-output '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | jq --raw-output '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $credentials | jq --raw-output '.SessionToken')

export AWS_PROFILE=PROFILE-NAME

set +e

## aws-codeartifact.md

      
    Raw
  

              aws-codeartifact.md
            
          
    Find and delete all artifacts with beta in the version:

V=$(aws codeartifact list-package-versions --repo $repo --package $package --format $format --domain $domain --namespace $namespace | jq '.versions | map(select(.version | contains("beta"))) | .[] .version' | tr "\n" " ")

aws codeartifact delete-package-versions --repo $repo --package $package --format npm --domain $domain --namespace $namespace --versions $V


## aws-lambda-invalidate-cloudfront.ts
import logging
import os

import boto3


logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):

    sts_connection = boto3.client('sts')
    acct_b = sts_connection.assume_role(
        RoleArn=os.environ['ROLE_ARN'],
        RoleSessionName="cross_acct_lambda"
    )

    ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
    SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
    SESSION_TOKEN = acct_b['Credentials']['SessionToken']

    # create service client using the assumed role credentials, e.g. S3
    client = boto3.client(
        'cloudfront',
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY,
        aws_session_token=SESSION_TOKEN,
    )

    response = client.create_invalidation(
        DistributionId=os.environ['DISTRIBUTION_ID'],
        InvalidationBatch={
            'Paths': {
                'Quantity': 1,
                'Items': [
                    os.environ['INVALIDATION_PATH'],
                ]
            },
            'CallerReference': 'string'
        }
    )

    logger.info("Invalidation ID: %s", response['Invalidation']['Id'])

    result = response['ResponseMetadata']['HTTPStatusCode']
    return result

## aws_assume_role.sh
#!/usr/bin/env bash
set -e

if [ $# -lt 2 ]; then
  echo 1>&2 "Not enough arguments"
  echo 1>&2 "Usage: $0 <PROFILE-ID> <ROLE-TO-ASSUME>"
  exit 1
fi

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

export AWS_PROFILE=$1
role=$2

identity=$(aws --profile $1 sts get-caller-identity)
account=$(echo $identity | jq --raw-output '.Account')

credentials=$(aws sts assume-role --role-arn arn:aws:iam::${account}:role/$role --role-session-name USER-session --query Credentials --duration-seconds 3600)

export AWS_ACCESS_KEY_ID=$(echo $credentials | jq --raw-output '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | jq --raw-output '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $credentials | jq --raw-output '.SessionToken')

echo "$AWS_PROFILE logged in"

## YubiKey hints
### Unlock card during ykman usage

.zshrc
```
GPG_TTY=$(tty)
export GPG_TTY
```
	MFA_ARN="XXX"
	ASSUMED_ROLE="XXX"

	set -e
	unset AWS_ACCESS_KEY_ID
	unset AWS_SECRET_ACCESS_KEY
	unset AWS_SESSION_TOKEN
	unset AWS_PROFILE

	OTP=$(ykman oath code aws -s)
	credentials=$(aws sts assume-role --role-arn $ASSUMED_ROLE --role-session-name $USER-session --query 'Credentials' --serial-number $MFA_ARN --token-code $OTP)

	export AWS_ACCESS_KEY_ID=$(echo $credentials \| jq --raw-output '.AccessKeyId')
	export AWS_SECRET_ACCESS_KEY=$(echo $credentials \| jq --raw-output '.SecretAccessKey')
	export AWS_SESSION_TOKEN=$(echo $credentials \| jq --raw-output '.SessionToken')

	export AWS_PROFILE=PROFILE-NAME

	set +e
	import logging
	import os

	import boto3


	logger = logging.getLogger()
	logger.setLevel(logging.INFO)

	def lambda_handler(event, context):

	sts_connection = boto3.client('sts')
	acct_b = sts_connection.assume_role(
	RoleArn=os.environ['ROLE_ARN'],
	RoleSessionName="cross_acct_lambda"
	)

	ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
	SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
	SESSION_TOKEN = acct_b['Credentials']['SessionToken']

	# create service client using the assumed role credentials, e.g. S3
	client = boto3.client(
	'cloudfront',
	aws_access_key_id=ACCESS_KEY,
	aws_secret_access_key=SECRET_KEY,
	aws_session_token=SESSION_TOKEN,
	)

	response = client.create_invalidation(
	DistributionId=os.environ['DISTRIBUTION_ID'],
	InvalidationBatch={
	'Paths': {
	'Quantity': 1,
	'Items': [
	os.environ['INVALIDATION_PATH'],
	]
	},
	'CallerReference': 'string'
	}
	)

	logger.info("Invalidation ID: %s", response['Invalidation']['Id'])

	result = response['ResponseMetadata']['HTTPStatusCode']
	return result
	#!/usr/bin/env bash
	set -e

	if [ $# -lt 2 ]; then
	echo 1>&2 "Not enough arguments"
	echo 1>&2 "Usage: $0 <PROFILE-ID> <ROLE-TO-ASSUME>"
	exit 1
	fi

	unset AWS_ACCESS_KEY_ID
	unset AWS_SECRET_ACCESS_KEY
	unset AWS_SESSION_TOKEN

	export AWS_PROFILE=$1
	role=$2

	identity=$(aws --profile $1 sts get-caller-identity)
	account=$(echo $identity \| jq --raw-output '.Account')

	credentials=$(aws sts assume-role --role-arn arn:aws:iam::${account}:role/$role --role-session-name USER-session --query Credentials --duration-seconds 3600)

	export AWS_ACCESS_KEY_ID=$(echo $credentials \| jq --raw-output '.AccessKeyId')
	export AWS_SECRET_ACCESS_KEY=$(echo $credentials \| jq --raw-output '.SecretAccessKey')
	export AWS_SESSION_TOKEN=$(echo $credentials \| jq --raw-output '.SessionToken')

	echo "$AWS_PROFILE logged in"
	### Unlock card during ykman usage

	.zshrc
	```
	GPG_TTY=$(tty)
	export GPG_TTY
	```