#!/bin/bash
set -eufo pipefail
export SHELLOPTS
IFS=$'\t\n'

if [[ -z "${AWS_ACCESS_KEY_ID:-}" ]] ||
   [[ -z "${AWS_SECRET_ACCESS_KEY:-}" ]] ||
   [[ -z "${AWS_SESSION_TOKEN:-}" ]]; then
  echo "AWS_ required variables not set"
  exit 1
fi

command -v curl >/dev/null 2>&1 || { echo "curl is not installed!"; exit 1; }
command -v jq >/dev/null 2>&1 || { echo "jq is not installed!"; exit 1; }

credentials='{"sessionId":"'"${AWS_ACCESS_KEY_ID}"'","sessionKey":"'"${AWS_SECRET_ACCESS_KEY}"'","sessionToken":"'"${AWS_SESSION_TOKEN}"'"}'

uc="${credentials//'%'/%25}"; uc="${uc//'"'/%22}"; uc="${uc//','/%2C}"
uc="${uc//'/'/%2F}"; uc="${uc//':'/%3A}"; uc="${uc//'='/%3D}"
uc="${uc//'{'/%7B}"; uc="${uc//'}'/%7D}"; uc="${uc//'+'/%2B}"

federation_url="https://signin.aws.amazon.com/federation"
federation_url="${federation_url}?Action=getSigninToken"
federation_url="${federation_url}&SessionDuration=3600"
federation_url="${federation_url}&Session=$(printf %s "$uc")"

token=$(curl -s "${federation_url}" | jq -r '.SigninToken' 2>/dev/null) ||
  { echo "invalid or expired credentials"; exit 1; }

console_url="https://signin.aws.amazon.com/federation"
console_url="${console_url}?Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F"
console_url="${console_url}&SigninToken=${token}"
console_url="${console_url}&Issuer=https%3A%2F%2Fexample.com"
console_url="${console_url}&Action=login"

open "${console_url}"