From 1679ee01b4f8d27c5982f285958202b5d924c499 Mon Sep 17 00:00:00 2001
From: George Geddes <george.geddes@insightsoftmax.com>
Date: Fri, 28 Jul 2023 09:39:23 -0400
Subject: [PATCH 1/4] use 1password for mfa

---
 aws-cli/get-aws-subaccount-session.sh | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/aws-cli/get-aws-subaccount-session.sh b/aws-cli/get-aws-subaccount-session.sh
index 72bed2c..841d911 100755
--- a/aws-cli/get-aws-subaccount-session.sh
+++ b/aws-cli/get-aws-subaccount-session.sh
@@ -61,6 +61,21 @@ echo AWS CLI configs loaded.
 echo
 
 
+## Check for 1Password CLI
+if ! op --version >/dev/null; then
+    echo "Please install 1Password CLI and make sure 'op' is on your \$PATH."
+    echo "https://1password.com/downloads/command-line/"
+    return
+fi
+echo "Signing in to 1Password CLI..."
+op signin || return		# Prompts for user password if needed
+echo
+echo "Successfully signed in."
+
+#### edit the item title below to choose the right 1password item
+#### this can be the item name or uuid
+onepassword_aws_item="AWS"
+
 
 ## preflight checks
 
@@ -89,6 +104,10 @@ if [[ -z ${aws_target_subaccount_session_seconds} ]]; then
   echo "Please set the aws_target_subaccount_session_seconds environment variable."
   return
 fi
+if [[ -z ${onepassword_aws_item} ]]; then
+    echo "Please set the onepassword_aws_item shell variable."
+    return
+fi
 
 #### wipe previous terminal env vars set by this utility
 
@@ -173,8 +192,7 @@ echo -e "Your MFA device is: ${blue}${device}${reset}" >&2
 
 ## option 2: automated mfa token entry
 echo -ne "Automating MFA input... ${blue}" >&2
-totp=$(cat /${HOME}/.aws/mfa/isc-login_totp)
-code=$(oathtool -b --totp ${totp})
+read code < <(op item get "$onepassword_aws_item" --otp)
 echo -e "${reset}" >&2
 echo
 

From 1c3ca6797a899912e39d5e495629af60269f3aed Mon Sep 17 00:00:00 2001
From: George Geddes <george.geddes@insightsoftmax.com>
Date: Fri, 22 Dec 2023 17:00:33 -0500
Subject: [PATCH 2/4] Don't require a TTY

---
 aws-cli/get-aws-subaccount-session.sh | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/aws-cli/get-aws-subaccount-session.sh b/aws-cli/get-aws-subaccount-session.sh
index 841d911..2cbe81f 100755
--- a/aws-cli/get-aws-subaccount-session.sh
+++ b/aws-cli/get-aws-subaccount-session.sh
@@ -137,17 +137,10 @@ echo
 
 #### this content is sourced from https://github.com/sweharris/aws-cli-mfa/blob/master/get-aws-creds and has been modified a bit ##
 
-# This uses MFA devices to get temporary (eg 12 hour) credentials.  Requires
-# a TTY for user input.
+# This uses MFA devices to get temporary (eg 1 hour) credentials.
 #
 # GPL 2 or higher
 
-if [ ! -t 0 ]
-then
-  echo Must be on a tty >&2
-  return
-fi
-
 if [ -n "$AWS_SESSION_TOKEN" ]
 then
   echo "Session token found.  This can not be used to generate a new token.

From f70cff94665de86d540790ecffa8441ee05607e4 Mon Sep 17 00:00:00 2001
From: George Geddes <george.geddes@insightsoftmax.com>
Date: Fri, 22 Dec 2023 17:16:24 -0500
Subject: [PATCH 3/4] Allow target variables to be passed from the environment

---
 aws-cli/get-aws-subaccount-session.sh | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/aws-cli/get-aws-subaccount-session.sh b/aws-cli/get-aws-subaccount-session.sh
index 2cbe81f..1d3459f 100755
--- a/aws-cli/get-aws-subaccount-session.sh
+++ b/aws-cli/get-aws-subaccount-session.sh
@@ -47,13 +47,15 @@ echo
 echo Loading AWS CLI configs...
 echo
 
-#### alter the values below to your target subaccount and target role as needed ## 
-
-export AWS_PROFILE=default
-export aws_target_subaccount_name=gross-eng-dev
-export aws_target_subaccount_id=235758441054
-export aws_target_subaccount_role=isc-login_assumed-role_eng_power-users
-export aws_target_subaccount_session_seconds=3600
+#### alter the values below to your target subaccount and target role as needed ##
+#### You may set these environment variables before sourcing the
+#### script to override the default values.
+
+export AWS_PROFILE=${AWS_PROFILE:-default}
+export aws_target_subaccount_name=${aws_target_subaccount_name:-gross-eng-dev}
+export aws_target_subaccount_id=${aws_target_subaccount_id:-235758441054}
+export aws_target_subaccount_role=${aws_target_subaccount_role:-isc-login_assumed-role_eng_power-users}
+export aws_target_subaccount_session_seconds=${aws_target_subaccount_session_seconds:-3600}
 
 ##################################################################################
 

From add84cddb4a8e46cd8ac33b6bc17b9e28294b25c Mon Sep 17 00:00:00 2001
From: George Geddes <george.geddes@insightsoftmax.com>
Date: Fri, 22 Dec 2023 17:17:14 -0500
Subject: [PATCH 4/4] Allow onepassword_aws_item to be set from environment

---
 aws-cli/get-aws-subaccount-session.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws-cli/get-aws-subaccount-session.sh b/aws-cli/get-aws-subaccount-session.sh
index 1d3459f..1d39b71 100755
--- a/aws-cli/get-aws-subaccount-session.sh
+++ b/aws-cli/get-aws-subaccount-session.sh
@@ -76,7 +76,7 @@ echo "Successfully signed in."
 
 #### edit the item title below to choose the right 1password item
 #### this can be the item name or uuid
-onepassword_aws_item="AWS"
+echo "onepassword_aws_item is set to: '${onepassword_aws_item:-AWS}'"
 
 
 ## preflight checks