#!/bin/sh

# Usage:
#
# - Install jq: https://stedolan.github.io/jq/
# - Add this script to your path, eg. to /usr/local/bin
# - Add AWS access key id and secret access key to LastPass
#   named "AWS Credentials for my-profile profile"
# - Add "credential_process = awscreds-lpass my-profile" to
#   the respective profile in ~/.aws/config
# - Make sure you don't have credentials left in ~/.aws/credentials
#
# Original inspiration:
# https://paulgalow.com/securing-aws-credentials-macos-lastpass

set -euf

readonly profile=${1:-default}
readonly lastPassEntry="AWS Credentials for $profile profile"

>&2 echo "Fetching '${lastPassEntry}' from LastPass"
readonly accessKeyId=$(lpass show --username "$lastPassEntry")
readonly secretAccessKey=$(lpass show --password "$lastPassEntry")

if [ ! "$accessKeyId" ] || [ ! "$secretAccessKey" ]; then
  >&2 echo "Could not get credentials from LastPass"
  exit 1
fi

# Create JSON object that AWS CLI expects
jq -n \
    --arg accessKeyId "$accessKeyId" \
    --arg secretAccessKey "$secretAccessKey" \
    '.Version = 1
    | .AccessKeyId = $accessKeyId
    | .SecretAccessKey = $secretAccessKey'