From 9405bd757fc82379502b66419b0515ba28c0b8dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Ol=C3=A1h?= <jiri.olah@cookielab.io>
Date: Fri, 12 Jul 2024 13:33:42 +0200
Subject: [PATCH] feat(assume-role): Provide script for
 AssumeRoleWithWebIdentity

---
 README.md              |  5 +++++
 scripts/assume-role.sh | 14 ++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100755 scripts/assume-role.sh

diff --git a/README.md b/README.md
index c3ccc57..b89036a 100644
--- a/README.md
+++ b/README.md
@@ -8,3 +8,8 @@
 ## Scripts
 
 - `deploy-s3-cf` - for deploying static site to S3 and CloudFront
+- `assume-role` - Script for AssumeRoleWithWebIdentity
+    - Requirements:
+        - `$AWS_ROLE_ARN` = ENV variable for Role ARN
+        - `$AWS_ROLE_SESSION_NAME` = ENV variable for session name
+        - `$OIDC_TOKEN` = ENV variable for providing OIDC token
diff --git a/scripts/assume-role.sh b/scripts/assume-role.sh
new file mode 100755
index 0000000..f85dc06
--- /dev/null
+++ b/scripts/assume-role.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
+
+read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION < <(
+    aws sts assume-role-with-web-identity \
+        --role-arn "${AWS_ROLE_ARN}" \
+        --role-session-name "${AWS_ROLE_SESSION_NAME}" \
+        --web-identity-token "${OIDC_TOKEN}" \
+        --duration-seconds 900 \
+        --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken,Expiration]' \
+        --output text
+)
+