mfa-serverless-plugin/index.js at master · alikian/mfa-serverless-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
'use strict';

const speakeasy = require("speakeasy");

class ServerlessPlugin {
  constructor(serverless, options) {
    this.serverless = serverless;
    this.options = options;

    this.hooks = {
      'before:deploy:deploy': this.mfa.bind(this),
    };
  }

  async mfa() {

    if (!process.env.AWS_MFA_KEY){
      this.serverless.cli.log('AWS_MFA_KEY  environment variable is missing, skip mfa');
      return;
    }
    if (!process.env.AWS_MFA_SERIAL_NUMBER){
      this.serverless.cli.log('AWS_MFA_SERIAL_NUMBER environment variable is missing, skip mfa');
      return;
    }

    this.serverless.cli.log('get token');

    // Get Token
    var token = speakeasy.totp({
      secret: process.env.AWS_MFA_KEY,
      encoding: 'base32'
    });

    // Get current credential for STS getSession
    const credentials = this.serverless.providers.aws.getCredentials();

    this.sts = new this.serverless.providers.aws.sdk.STS(credentials);

    var params = {
      DurationSeconds: 3600,
      SerialNumber: process.env.AWS_MFA_SERIAL_NUMBER,
      TokenCode: token
    };

    let stsCredentials = await this.sts.getSessionToken(params).promise();
    this.serverless.cli.log('sts success' );

    // Clear cached credentials
    this.serverless.providers.aws.cachedCredentials = null;

    // Set AWS CLI Environment variable, any concequence AWS call will use these crendentials
    process.env.AWS_ACCESS_KEY_ID = stsCredentials.Credentials.AccessKeyId;
    process.env.AWS_SECRET_ACCESS_KEY = stsCredentials.Credentials.SecretAccessKey;
    process.env.AWS_SESSION_TOKEN = stsCredentials.Credentials.SessionToken;

  }


}

module.exports = ServerlessPlugin;