stefansundin/aws-rotate-key stefansundin/aws-rotate-key

  • Stars
    star
    354
  • Rank 120,042 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created about 8 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
stefansundin/aws-rotate-key
github

stefansundin

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Easily rotate your AWS access key. 🔑

aws-rotate-key

As a security best practice, AWS recommends that users periodically regenerate their API access keys. This tool simplifies the rotation of access keys defined in your credentials file.

When run, the program will list the current access keys associated with your IAM user, and print the steps it has to perform to rotate them. It will then wait for your confirmation before continuing.

Usage

$ aws-rotate-key --help
Usage of aws-rotate-key:
  -auth-profile string
    	Use a different profile when calling AWS.
  -d	Delete old key without deactivation.
  -mfa
    	Use MFA.
  -mfa-serial-number string
    	Specify the MFA device to use. (optional)
  -profile string
    	The profile to use. (default "default")
  -version
    	Print version number
  -y	Automatic "yes" to prompts.

Example

$ aws-rotate-key --profile work
Using access key AKIAJMIGD6UPCXCFWVOA from profile "work".
Your user ARN is: arn:aws:iam::123456789012:user/your_username

Your user has 2 access keys:
- AKIAI3KI7UC6BPI4O57A (Inactive, created 2018-11-22 21:47:46 +0000 UTC, last used 2018-11-30 20:35:41 +0000 UTC for service s3 in us-west-2)
- AKIAJMIGD6UPCXCFWVOA (Active, created 2018-11-30 21:55:57 +0000 UTC, last used 2018-12-20 12:14:10 +0000 UTC for service s3 in us-west-2)

You have two access keys, which is the maximum number of access keys allowed.
Do you want to delete AKIAI3KI7UC6BPI4O57A and create a new key? [yN] y
Deleted access key AKIAI3KI7UC6BPI4O57A.
Created access key AKIAIX46CKYT7E5I3KVQ.
Wrote new key pair to /Users/your_username/.aws/credentials
Deactivated old access key AKIAJMIGD6UPCXCFWVOA.
Please make sure this key is not used elsewhere.
Please note that it may take a minute for your new access key to propagate in the AWS control plane.

Install

You can download binaries from the releases section.

You can use Homebrew to install on macOS:

brew install aws-rotate-key

You can install using a PPA on Ubuntu Linux:

sudo add-apt-repository ppa:stefansundin/aws-rotate-key
sudo apt install aws-rotate-key

If you have Go installed then you can download and build the program using:

go install github.com/stefansundin/aws-rotate-key@latest

Setup

Make sure your users have permissions to update their own access keys. The following AWS documentation page explains the required permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html.

The following IAM policy is enough for aws-rotate-key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccessKeys",
                "iam:GetAccessKeyLastUsed",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey",
                "iam:UpdateAccessKey"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
            ]
        }
    ]
}

⚠️ Replace AWS_ACCOUNT_ID with your AWS account id.

Require MFA

You can require MFA by adding a Condition clause. Please note that you have to use the -mfa option when running the program.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccessKeys",
                "iam:GetAccessKeyLastUsed",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey",
                "iam:UpdateAccessKey"
            ],
            "Resource": [
                "arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": true
                }
            }
        }
    ]
}

Note that this makes it harder to rotate access keys using aws-cli commands, as it only supports MFA when assuming roles. You will still be able to use the AWS management console.

Contribute

To download and hack on the source code, run:

git clone https://github.com/stefansundin/aws-rotate-key.git
cd aws-rotate-key
go build

More Repositories

1

altdrag

📁 Easily drag windows when pressing the alt key. (Windows)
C
1,273
star
2

rssbox

📰 I consume the world via RSS feeds, and this is my attempt to keep it that way.
Ruby
741
star
3

superf4

📁 Kill programs instantly with Ctrl+Alt+F4. (Windows)
C
547
star
4

traceroute-mapper

Map your traceroutes easily.
HTML
269
star
5

2fa-qr

📱 JavaScript 2FA QR code generator.
HTML
193
star
6

vlc-protocol

Open vlc:// links directly from your web browser.
Objective-C
169
star
7

duplicate-tab

Press Alt+Shift+D to duplicate the current tab (Option+Shift+D on Mac).
JavaScript
97
star
8

powermate-linux

🐧 Linux userspace driver for the Griffin PowerMate. (For the classic USB model. There is a proof-of-concept for the Bluetooth model.)
C
88
star
9

xn_resource_editor

💫 Unofficial mirror of XN Resource Editor v3.0.0.1.
Pascal
87
star
10

privatkopiera

📼 Tillägg till Chrome och Firefox för att privatkopiera enklare från nätet.
JavaScript
69
star
11

shutdownguard

💀 Prevent Windows from shutting down. (UNSUPPORTED, see issue #1)
C
55
star
12

terraform-provider-ssh

This provider enables SSH port forwarding in Terraform.
Go
55
star
13

android-disable-direct-share

🤖 Disable direct share in Android.
Shell
53
star
14

secrets-scanner

Find API keys in your code. 🔑
Go
35
star
15

ec2-metadata-filter

Enhance the security of the EC2 metadata service. (Obsolete thanks to Instance Metadata Service Version 2, see note in README)
Go
31
star
16

chrome-download-panel

🔬 Download panel for Chrome's developer tools.
JavaScript
28
star
17

elevatedstartup

📁 Easily autostart programs with administrator privileges. (Windows)
C
27
star
18

truecrypt.deb

🐧 Debianization of TrueCrypt.
C
25
star
19

glass-movies

👓 Video launcher for Google Glass. 💀
Java
20
star
20

one-click-screenshot

📷 Take full-page screenshots in Chrome and Firefox. NOTE: Use the built-in screenshot feature instead. In Firefox you can simply right-click and use "Take Screenshot". In Chrome you have to open the dev tools, enable device screen emulation, use the menu and click "Capture full size screenshot".
JavaScript
20
star
21

truecrypt-mac

64-bit TrueCrypt on macOS.
C
14
star
22

aws

AWS tools and snippets
Python
14
star
23

open-with-vlc

Chrome extension to open pages in VLC. The vlc:// protocol handler is required (https://github.com/stefansundin/vlc-protocol).
JavaScript
14
star
24

go-lambda-gateway

Run Go lambda functions that use API Gateway locally.
Go
13
star
25

dotfiles

🏠 The obligatory dotfiles repo.
Shell
13
star
26

powermate.deb

🐧 Debianization of powermate-linux.
Makefile
13
star
27

twitter-rss.php

💻 Twitter to RSS using Twitter API v1.1.
PHP
12
star
28

heroku-bash-completion

💀 OFFICIAL SUPPORT NOW AVAILABLE: https://github.com/heroku/heroku-cli-autocomplete
Shell
11
star
29

youtube-copy-annotations

💻 Copy YouTube annotations like a pro!
HTML
11
star
30

atom-stop-cursor-blinking

Stop Atom from driving you batshit crazy.
CSS
10
star
31

s3sha256sum

Calculate SHA256 checksums of objects on Amazon S3.
Go
10
star
32

s3verify

Verify that a local file is identical to an object on Amazon S3, without having to download the object. 🕵️
Go
10
star
33

github-activity

💻 RSS Feed for GitHub gist comments.
Ruby
10
star
34

shrimp

Simple program that reliably uploads large files to Amazon S3. 🦐
Go
9
star
35

killkeys

📁 An alternative to yanking keys from the keyboard. (Windows)
C
9
star
36

the-onion-notifier

Notify you when you visit a website that offer an .onion domain.
JavaScript
8
star
37

four-k-download

💫 Unoffical mirror of 4k video downloader on SourceForge.
C++
8
star
38

removable-drive-reminder

📁 Never accidentally leave your USB stick on a public computer again! (Windows)
C
7
star
39

github-light-navbar

Brings back the old navbar on github.com.
CSS
7
star
40

github-release-party

💎 :octocat: Create GitHub releases when you deploy to Fly. (Gem)
Ruby
6
star
41

ssh-tunnel-proxy

Program that automatically opens SSH tunnels when connections are received.
Ruby
6
star
42

youtube_party

Ruby code to parse and download YouTube videos.
Ruby
6
star
43

qr-detector.js

QrDetector is a JavaScript library that first tries to use the browser's native BarcodeDetector, with a fallback to jsQR.
TypeScript
6
star
44

atom-replace-notepad

🍫 Open Atom instead of Notepad. (Windows)
C
4
star
45

intellij-low-priority

🍫 Plugin for IntelliJ IDEA and friends (e.g. Android Studio) that lowers the process priority to prevent computer lag.
Java
4
star
46

The-Tangibles

🏫 The Mediated Sketching Table. 💀
JavaScript
4
star
47

ndstrim

📁 NDS ROM trimmer from 2008. 💀
Ruby
3
star
48

kube-tunnel-proxy

Kubernetes port-forwarding utility.
Go
3
star
49

the-onion-redirector

Automatically redirect your Tor Browser to .onion domains.
JavaScript
3
star
50

traycd

📁 Old Windows program. 💀
C
2
star
51

heroku-env

💎 Don't worry about the environment. (Gem)
Ruby
2
star
52

evrouter

💫 Unofficial mirror of evrouter.
TeX
2
star
53

media-resolver

Because VLC can't POST 🤦‍♂️ (work in progress!)
Rust
2
star
54

angular-add-csrf-token

🅰️ Easily add csrf tokens to forms in angular templates.
CoffeeScript
2
star
55

Docker-For-Mac-Env

Run Docker.app with environment variables.
Shell
2
star
56

ssh-tunnel-proxy.deb

💀 Moved to https://github.com/stefansundin/ssh-tunnel-proxy/tree/debian
Shell
2
star
57

tyt-amazon

💰 Give The Young Turks money with every Amazon purchase. 💸
JavaScript
2
star
58

bottlerocket-bootstrap-associate-eip

A bootstrap container for Bottlerocket that associates an elastic IP address to the EC2 instance when it starts up.
Rust
2
star
59

bottlerocket-bootstrap-exec-user-data

A bootstrap container for Bottlerocket that executes whatever you put in its user data.
Shell
2
star
60

planetoids

🎮 A game I and a classmate made in school over the course of 7 weeks in 2008. (Windows) 💀
C++
2
star
61

CYA

(To be deleted)
JavaScript
1
star
62

twitch-continue-watching

This unofficial extension brings the Continue Watching mobile feature to the desktop.
JavaScript
1
star
63

removable-drive-reminder-import

Automatically exported from code.google.com/p/removable-drive-reminder
C
1
star
64

go-lambda-invoke

Invoke a Go Lambda function locally
Go
1
star
65

hello-github-actions

Dockerfile
1
star
66

truecrypt-patches

Repo to manage patches for truecrypt.deb.
1
star
67

killkeys-import

Automatically exported from code.google.com/p/killkeys
C
1
star
68

docker-build-ssh-agent

Easily share your SSH agent for docker builds. OBSOLETE: Use "docker build --ssh" instead. See https://docs.docker.com/develop/develop-images/build_enhancements/
Dockerfile
1
star
69

vagrant-ec2-metadata

Easily provide vagrant machines with AWS credentials by faking an EC2 metadata server.
Ruby
1
star
70

shutdownguard-import

Automatically exported from code.google.com/p/shutdownguard
C
1
star
71

maxmind-db.js

A MaxMind database reader for web browsers.
TypeScript
1
star
72

remotefoldersync

📁 Fork of rocketmonkeys' project on Google Code, with Python3 support.
Python
1
star
73

stvef-protocol

Star Trek Voyager: Elite Force Holomatch protocol handler for https://efservers.com/
Batchfile
1
star
74

stefansundin.github.io

🏡 GitHub Pages.
HTML
1
star