diff --git a/entrypoint.sh b/entrypoint.sh index c89e07d..7cf1c12 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,11 +4,14 @@ set -u set -o pipefail awsDir="${HOME}/.aws" -config="${awsDir}/config" +config="$(mktemp)" credentials="${awsDir}/credentials" +# Delete the temporary file when this script finishes running, is interrupted, or exits abnormally +trap "rm -f $config" 0 2 3 15 + mkdir -p "${awsDir}" -echo -e "[profile default]\noutput = json" >>"$config" +echo -e "[profile default]\noutput = json" >"$config" # Attempt to get aws credentials via tokendito max_attempts=10 @@ -16,7 +19,7 @@ totp_time=30 totp_error='Each code can only be used once. Please wait for a new code and try again.' for ((attempts = 1; attempts <= $max_attempts; attempts++)); do echo "Requesting AWS credentials via Tokendito." - t_error=$(tokendito --aws-profile default -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD --mfa-method ${INPUT_OKTA_MFA_METHOD:=token:software:totp} --mfa-response $(echo $INPUT_OKTA_MFA_SEED | mintotp ${totp_time}) 2>&1 1>/dev/null) + t_error=$(tokendito --config-file $config --aws-profile default -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD --mfa-method ${INPUT_OKTA_MFA_METHOD:=token:software:totp} --mfa-response $(echo $INPUT_OKTA_MFA_SEED | mintotp ${totp_time}) 2>&1 1>/dev/null) if [[ $? == 0 ]]; then echo "Succeeded getting credentials in attempt #${attempts}."