Bash script help please

opethdisciple · 22 Oct 2020 at 15:46

I am trying to write a fairly simple script to help people switch AWS IAM roles and use MFA on the cli.

I have it working but now I am down to the fine details and final touches.

I have a problem capturing the output of a command and testing the exit status.

Here is an excerpt of the code:

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

read -p "Please specify in seconds your session duration: " SESSION_DURATION
read -p "Please enter MFA token: " MFA_TOKEN

MFA_AUTH=$(aws sts get-session-token --duration-seconds $SESSION_DURATION --serial-number $MFA_DEVICE_ARN --token-code $MFA_TOKEN)

if [ $? -eq 0 ]; then

export AWS_ACCESS_KEY_ID=$(echo $MFA_AUTH | jq -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $MFA_AUTH | jq -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $MFA_AUTH | jq -r .Credentials.SessionToken)

else

echo "MFA Authentication failure. Exiting"
return 1

fi

As you can see, for me to extract the keys I have to assign the command to a variable. That's fine. But If the user puts in the wrong MFA token currently I have no way of testing if the exit status of the previous command succeeded because it is assigned to a variable.

Any ideas?

I can test the exit status of: aws sts get-session-token --duration-seconds $SESSION_DURATION --serial-number $MFA_DEVICE_ARN --token-code $MFA_TOKEN but it will display on stdout which I don't want.

----

I know it will be hard for you guys to help as your need an mfa device and access to aws.

But I think I have found something that might work:

if [ ! -z "$MFA_AUTH" ]; then

Flippy · 22 Oct 2020 at 17:14

sorry ignore, I was incorrect
I can only get it to work by checking if the string is empty

azteched · 23 Oct 2020 at 22:55

Are you sure it doesn't work as it is? It looks OK to me. $? should still have the exit status of the aws command.

Code:

wibble=$(cat i_dont_exist)
if [ $? -eq 0 ]; then
    echo "success"
    echo $wibble
else
    echo "failed"
fi

zog=$(echo foo)
if [ $? -eq 0 ]; then
    echo "success"
    echo $zog
else
    echo "failed"
fi

produces

cat: i_dont_exist: No such file or directory // stderr from the failed cat; could capture this.
failed
success
foo

which seems correct?

opethdisciple · 24 Oct 2020 at 19:26

I solved it in the end thanks.

I do have a question about this: MFA_AUTH=$(aws sts get-session-token --duration-seconds $SESSION_DURATION --serial-number $MFA_DEVICE_ARN --token-code $MFA_TOKEN)

If I say:

MFA_AUTH=$(aws sts get-session-token --duration-seconds $SESSION_DURATION --serial-number $MFA_DEVICE_ARN --token-code $MFA_TOKEN)

if [ ! -z "$MFA_AUTH" ]; then
echo "success"
else
echo "failed"
fi

When does the MFA_AUTH variable get expanded?

During the if block or does the variable MFA_AUTH get populated during the variable assignment?

Thanks

droyden · 25 Oct 2020 at 22:23

You are checking if MFA_AUTH is zero, if it is then echo success. Is that what you want?

It would be set from the output of your aws sts command - does that return anyting via stdout?

opethdisciple · 26 Oct 2020 at 12:34

droyden said:
You are checking if MFA_AUTH is zero, if it is then echo success. Is that what you want?

It would be set from the output of your aws sts command - does that return anyting via stdout?

Oops. I fixed it.