aws-cli-session-manager

#! /usr/bin/env bash

declare engine image mountopt aws_cli_version force_tty read_write
engine="${ENGINE:-docker}" # for planned compatibility with podman
aws_cli_version="${AWS_CLI_VERSION:-2.23.7}"
image="${IMAGE:-ghcr.io/kineticcafe/aws-cli-session-manager:${aws_cli_version}}"
force_tty=false
read_write=false
mountopt=",readonly" # default to readonly config/credential mounting

declare -a args interactive mounts passopt
interactive=(--interactive)
passopt=(
  --env PYTHONIOENCODING=utf-8
  --env LANG=en_US.UTF-8
  --env LC_ALL=en_US.UTF-8
  --env LC_CTYPE=en_US.UTF-8
)
mounts=(
  --mount "type=bind,src=$(pwd),dst=/aws"
)

while (($#)); do
  case "$1" in
  --non-interactive) interactive=() ;;
  --force-tty) force_tty=true ;;
  --read-write) read_write=true ;;
  *) args+=("$1") ;;
  esac
  shift
done

set -- "${args[@]}"

if ! [[ -t 0 ]]; then
  if [[ "${force_tty}" == "true" ]]; then
    echo >&2 "Cannot --force-tty without a TTY."
    exit 1
  fi

  interactive=()
elif [[ "${force_tty}" == "true" ]]; then
  interactive=(--interactive --tty)
fi

if [[ "$(basename "$0")" == aws_completer ]]; then
  [[ -n "${COMP_POINT}" ]] && passopt+=(--env COMP_POINT="${COMP_POINT}")
  [[ -n "${COMP_LINE}" ]] && passopt+=(--env COMP_LINE="${COMP_LINE}")
  [[ -n "${COMMAND_LINE}" ]] && passopt+=(--env COMMAND_LINE="${COMMAND_LINE}")
  passopt+=(--entrypoint aws_completer)
elif [[ "$1" == sh ]] || [[ "$1" == shell ]]; then
  if ! [[ -t 0 ]]; then
    echo >&2 "Cannot run the shell without a TTY."
    exit 1
  fi

  shift

  passopt+=(--entrypoint=/bin/bash)
  interactive=(--interactive --tty)
elif [[ "$1" == "configure" ]] || [[ "${read_write}" = "true" ]]; then
  # Allow read/write of configuration when using `configure`
  mountopt=
fi

if [[ -d "${HOME}"/.aws ]]; then
  mounts+=(--mount "type=bind,src=${HOME}/.aws,dst=/root/.aws${mountopt}")
fi

if [[ -d "${HOME}"/.aws/cli/history ]]; then
  mounts+=(--mount "type=bind,src=${HOME}/.aws/cli/history,dst=/root/.aws/cli/history")
fi

if [[ -n "${AWS_CONFIG_FILE}" ]]; then
  if [[ "$1" == "configure" ]] && [[ ! -f "${AWS_CONFIG_FILE}" ]]; then
    mkdir -p "$(dirname "${AWS_CONFIG_FILE}")"
    touch "${AWS_CONFIG_FILE}"
  fi

  if [[ -f "${AWS_CONFIG_FILE}" ]]; then
    mounts+=(--mount "type=bind,src=${AWS_CONFIG_FILE},dst=/root/.aws/config${mountopt}")
  fi
fi

if [[ -n "${AWS_SHARED_CREDENTIALS_FILE}" ]]; then
  if [[ "$1" == "configure" ]] && [[ ! -f "${AWS_SHARED_CREDENTIALS_FILE}" ]]; then
    mkdir -p "$(dirname "${AWS_SHARED_CREDENTIALS_FILE}")"
    touch "${AWS_SHARED_CREDENTIALS_FILE}"
  fi

  if [[ -f "${AWS_SHARED_CREDENTIALS_FILE}" ]]; then
    mounts+=(--mount "type=bind,src=${AWS_SHARED_CREDENTIALS_FILE},dst=/root/.aws/credentials${mountopt}")
  fi
fi

# - Need better support for AWS_CA_BUNDLE (also --ca-bundle / profile ca_bundle)
# - Need better support for AWS_DATA_PATH (`:` / `;` separated)
# - Need support for AWS_WEB_IDENTITY_TOKEN_FILE

for var in \
  AWS_ACCESS_KEY_ID \
  AWS_CA_BUNDLE \
  AWS_CLI_AUTO_PROMPT \
  AWS_CLI_FILE_ENCODING \
  AWS_DEFAULT_OUTPUT \
  AWS_DEFAULT_REGION \
  AWS_EC2_METADATA_DISABLED \
  AWS_IGNORE_CONFIGURED_ENDPOINT_URLS \
  AWS_MAX_ATTEMPTS \
  AWS_METADATA_SERVICE_NUM_ATTEMPTS \
  AWS_METADATA_SERVICE_TIMEOUT \
  AWS_PAGER \
  AWS_PROFILE \
  AWS_REGION \
  AWS_RETRY_MODE \
  AWS_ROLE_ARN \
  AWS_ROLE_SESSION_NAME \
  AWS_SECRET_ACCESS_KEY \
  AWS_SESSION_TOKEN \
  AWS_STS_REGIONAL_ENDPOINTS \
  AWS_USE_FIPS_ENDPOINT \
  AWS_WEB_IDENTITY_TOKEN_FILE; do
  [[ -n "${!var}" ]] && passopt+=(--env "${var}=${!var}")
done

for var in $(compgen -v | grep AWS_ENDPOINT_URL); do
  [[ -n "${!var}" ]] && passopt+=(--env "${var}=${!var}")
done

"${engine}" run \
  "${interactive[@]}" \
  --rm \
  --network host \
  "${mounts[@]}" \
  "${passopt[@]}" \
  "${image}" \
  "$@"