GoLang - Produces a binary suitable for use in shell scripts and cron jobs for rotating IAM credentials.

Overview

AWS-Rotate-IAM-Key

aws-rotate-iam-key makes it easy to rotate your IAM keys whether they be in your ~/.aws/credentials file or else where.

This work is a deritive of https://github.com/stefansundin/aws-rotate-key. Added flexibility to simplify key rotation from within a shell script.

Features!

  • Single binary with no dependencies.
  • Runs on Linux, Windows and Mac Os
  • Can replace rotated keys in any file - using sed like methods.
  • Optionaly disables the rotated key.

Requirements

to compile - binaries available soon.

- Go
- Make

AWS Policy to apply to IAM user

Please note, the policy below specifies a condition liming access from specific IP addresses. The IP addresses will have to be changed before the policy can work in your environment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:*AccessKey*",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:*ServiceSpecificCredential*",
                "iam:*SigningCertificate*"
            ],
            "Resource": [
                "arn:aws:iam::AwsAccountIDGoesHere:user/*${aws:username}"
            ],
            "Effect": "Allow",
            "Sid": "AllowRotateOwnKey",
            "Condition": {
                "IpAddress": { "aws:SourceIp": [ "52.72.140.215/32", "52.200.112.43/32", "52.200.113.35/32" ] }
            }
        }
    ]
}

Installation

1.  Download or clone repo.  
2.  cd into repo
3.  type make

Usage:

Usage of ./aws-rotate-iam-key:
  -c string
    	AWS credentials file
  -d	Disable key after rotation.
  -k string
    	AWS IAM key.
  -o string
    	Output format - default is text, option json is json string, /path/to/file runs a regex on the file specified.
  -profile string
    	Named profile within AWS credentials file.
  -s string
    	AWS IAM secret
  -v	version 1.0.0 
    	built 2019-09-18T16:13:25-0400 
    	git repo = https://atom-git.turner.com/best-meta-aws/cloudutil/aws-rotate-iam-key

Examples of use:

Updating a key within ~/.aws/credentials, referenced by profile

$ ./aws-rotate-iam-key -profile dch
Wrote new key pair to /Users/$UserName/.aws/credentials

Key and secret provided on command line and output as text. ( ideal for shell scripting )

$ ./aws-rotate-iam-key -k AKIAXXXXX -s xxxxxxxxxxxxxx
AKIAXXXXX xxxxxxxxxxxxxx

Key and secret provided on command line and output as json. ( handy for use with in languages like python and ruby)

$ ./aws-rotate-iam-key -k AKIAXXXXX -s xxxxxxxxxxxxxx -o json
{ "AccessKeyId": "AKIAXXXXX", "SecretAccessKey": "xxxxxxxxxxxx" }

Rotate and write new creds to any file format. ( may have limitations on file size. please limit to a few megs )

$ ./aws-rotate-iam-key -k AKIAXXXXX -s xxxxxxxxxxxxxx -o /path/to/config.json

Rotate and diable.

$ ./aws-rotate-iam-key -k AKIAXXXXX -s xxxxxxxxxxxxxx -d
AKIAXXXXX xxxxxxxxxxxxxx

Rotate credentials held in MySQL in a cron job

ORIGCREDS=`echo "use mydb; select awskey,awssecret from users where u_login like 'mickeymouse'" | mysql | tail -n 1`
AWSKEY=`echo $ORIGCREDS | awk '{ print $1 }'`
AWSSEC=`echo $ORIGCREDS | awk '{ print $2 }'`
NEWCREDS=$(aws-rotate-iam-key -k envAWSKEY -s envAWSSEC)
NEWKEY=`echo $NEWCREDS | awk '{ print $1 }'
NEWSEC=`echo $NEWCREDS | awk '{print $2 }'
echo "use mydb; update users set awskey=$NEWKEY,awssecret=$NEWSEC where u_login like 'mickeymouse'" | mysql
You might also like...
A test repo to demonstrate the current (go1.17.2) issue when trying to use retractA test repo to demonstrate the current (go1.17.2) issue when trying to use retract

test-go-mod-retract This is a test repo to demonstrate the current (go1.17.2) issue when trying to use retract in go.mod to retract a version in a non

Analyze the binary outputted by `go build` to get type information etc.

Analyze the binary outputted by go build to get type information etc.

An experiment building a custom binary protocol for a calculator

Overview Implementation of a calculator service built on a custom protocol on top of TCP Details The server is in main.go, and the client is in client

Transfer decimal ipv4 to binary ipv4

transfer decimal ipv4 to binary ipv4. Download: git clone https://github.com/Bet

GoThanks automatically stars Go's official repository and your go.mod github dependencies, providing a simple way  to say thanks to the maintainers of the modules you use and the contributors of Go itself.
GoThanks automatically stars Go's official repository and your go.mod github dependencies, providing a simple way to say thanks to the maintainers of the modules you use and the contributors of Go itself.

Give thanks (in the form of a GitHub ★) to your fellow Go modules maintainers. About GoThanks performs the following operations Sends a star to Go's r

Testing the use of a golang wrapper around UserMode Linux for making stdin

This code is for testing the use of a golang wrapper around UserMode Linux for making stdin, stdout and stderr available to attach, detach and reattach to from the host using Unix sockets.

An ease to use finit state machine golang implementation.Turn any struct to a fsm with graphviz visualization supported.

go-fsm An ease to use finit state machine golang implementation.Turn any struct to a fsm with graphviz visualization supported. usage import github.co

A ready to use Pastebin written in Go Lang, fork the files and start editing/using it.

A ready to use Pastebin written in Go Lang, fork the files and start editing/using it.

A fast and easy-to-use gutenberg book downloader

Gutenberg Downloader A brief description of what this project does and who it's for Usage download books Download all english books as epubs with imag

Owner
WarnerMedia Open Source
Everything here is MIT licensed and unsupported unless otherwise stated.
WarnerMedia Open Source
A cli for fetching the status and full output of CircleCI jobs.

CCI A cli for fetching the status and full output of CircleCI jobs. Install go install github.com/tmessi/cci/[email protected] Usage cci is designed to have

Timothy Messier 1 Oct 29, 2021
a cron library for go

cron Cron V3 has been released! To download the specific tagged release, run: go get github.com/robfig/cron/[email protected] Import it in your program as: im

Rob Figueiredo 10.3k Sep 24, 2022
jd scripts(golang)

jd scripts(golang)

ClassmateLin 0 Sep 8, 2022
Project containing all scripts and descriptors to deploy Slurpanize in different ways

Slurpanize cloud infrastructure This project is built to install on any hardware or cloud infrastructure the Slurpanize platform. The installation is

null 0 Nov 24, 2021
Set of scripts & tools for converting between numbers and major system encoded words.

major-system-converter Set of scripts & tools for converting between numbers and major system encoded words. Uses phonetics instead of letters to conv

null 4 Aug 9, 2022
A simple tool to send binary data over a serial port. Designed for use with my retro computer systems.

Colin's Transfer Tool This is a really basic tool to transfer firmware files to my retro computer systems over a serial port. This removes the need fo

Colin Maykish 0 Dec 21, 2021
Scripts for generating go code using abigen

Scripts for generating go code using abigen

NIDA 0 Nov 15, 2021
A Golang library to manipulate strings according to the word parsing rules of the UNIX Bourne shell.

shellwords A Golang library to manipulate strings according to the word parsing rules of the UNIX Bourne shell. Installation go get github.com/Wing924

Wei He 17 Mar 15, 2022
Parse a shell script and output all export declarations in an easy to read format

Find Exports Parse a shell script and output all export declarations in an easy to read format. Usage Example $ findexports ~/.bashrc PATH=$PATH:/usr/

Ilia Choly 1 Jan 13, 2022
Tool, language and decoders for inspecting binary data.

fq Tool, language and decoders for inspecting binary data. In most cases fq works the same way as jq but instead of reading JSON it reads binary data.

Mattias Wadman 4.4k Sep 29, 2022