-
Notifications
You must be signed in to change notification settings - Fork 3
/
bootstrap_user.go
117 lines (97 loc) · 3.55 KB
/
bootstrap_user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package main
import (
"context"
"errors"
"fmt"
"os"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"github.com/spf13/viper"
)
const (
flagBootstrapUserUser = "user"
)
func initBootstrapUserFlags(flag *pflag.FlagSet) {
flag.String(flagBootstrapUserUser, "", "The name of the IAM user to update")
}
func checkBootstrapUserConfig(v *viper.Viper) error {
userName := v.GetString(flagBootstrapUserUser)
if len(userName) == 0 {
return errors.New("The IAM user name should not be empty")
}
return nil
}
func bootstrapUser(cmd *cobra.Command, args []string) error {
v, errViper := initViper(cmd)
if errViper != nil {
return fmt.Errorf("error initializing viper: %w\n", errViper)
}
if errConfig := checkBootstrapUserConfig(v); errConfig != nil {
return errConfig
}
userName := v.GetString(flagBootstrapUserUser)
awsCfg, errCfg := config.LoadDefaultConfig(context.TODO())
if errCfg != nil {
return errCfg
}
svcIAM := iam.NewFromConfig(awsCfg)
svcSecretsManager := secretsmanager.NewFromConfig(awsCfg)
getRandomPasswordOutput, errGetRandomPassword := svcSecretsManager.GetRandomPassword(context.TODO(), &secretsmanager.GetRandomPasswordInput{
PasswordLength: 24,
RequireEachIncludedType: true,
})
if errGetRandomPassword != nil {
return errGetRandomPassword
}
password := getRandomPasswordOutput.RandomPassword
_, errGetUser := svcIAM.GetUser(context.TODO(), &iam.GetUserInput{
UserName: &userName,
})
if errGetUser != nil {
fmt.Printf("User %s has not yet been provisioned", userName)
return errGetUser
}
_, errCreateLoginProfile := svcIAM.CreateLoginProfile(context.TODO(), &iam.CreateLoginProfileInput{
UserName: &userName,
Password: password,
})
if errCreateLoginProfile != nil {
return errCreateLoginProfile
}
listAccountAliasesOutput, errListAccountAliases := svcIAM.ListAccountAliases(context.TODO(), &iam.ListAccountAliasesInput{})
if errListAccountAliases != nil {
return errListAccountAliases
}
var loginUrl, securityCredsUrl string
if len(listAccountAliasesOutput.AccountAliases) > 0 {
alias := listAccountAliasesOutput.AccountAliases[0]
awsRegion := os.Getenv("AWS_REGION")
if awsRegion == "us-gov-east-1" || awsRegion == "us-gov-west-1" {
loginUrl = fmt.Sprintf("https://%s.signin.amazonaws-us-gov.com/console", alias)
securityCredsUrl = fmt.Sprintf("https://console.amazonaws-us-gov.com/iam/home?region=%s#/users/%s?section=security_credentials", awsRegion, userName)
} else {
loginUrl = fmt.Sprintf("https://%s.signin.aws.amazon.com/console", alias)
securityCredsUrl = fmt.Sprintf("https://console.aws.amazon.com/iam/home?#/users/%s?section=security_credentials", userName)
}
} else {
loginUrl = "https://console.aws.amazon.com/"
}
fmt.Printf("Login URL: %s\n", loginUrl)
fmt.Printf("Username: %s\n", userName)
fmt.Printf("Password: %s\n", *password)
fmt.Println(`Please follow these steps:
1. Log in to the console with your temporary password.
2. Create an MFA. Save MFA to 1Password as One Time Password (OTP)\n`)
if len(securityCredsUrl) > 0 {
fmt.Printf("\tURL: %s\n", securityCredsUrl)
}
fmt.Println(`3. Log out of the AWS Console
4. Log in to the console with your new MFA
5. Reset your password (min 20 chars, requires upper and lowercase, numbers and symbols)
6. Assume the IAM Role you wish to use.
NOTE: You will not be able to do anything in the account unless you log in with MFA and assume the AWS IAM role for your project.\n`)
return nil
}