-
-
Notifications
You must be signed in to change notification settings - Fork 170
/
iam_rotate_access_keys.py
86 lines (74 loc) · 2.9 KB
/
iam_rotate_access_keys.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# https://github.com/dannysteenman/aws-toolbox
#
# This script rotates IAM user keys.
import argparse
import boto3
from botocore.exceptions import ClientError
iam_client = boto3.client("iam")
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
"--username",
help="An IAM username, e.g. key_rotator.py --username <username>",
)
parser.add_argument(
"-k", "--key", help="An AWS access key, e.g. key_rotator.py --key <access_key>"
)
parser.add_argument("--disable", help="Disables an access key", action="store_true")
parser.add_argument("--delete", help="Deletes an access key", action="store_true")
args = parser.parse_args()
username = args.username
aws_access_key = args.key
def create_key(username):
try:
keys = iam_client.list_access_keys(UserName=username)["AccessKeyMetadata"]
if len(keys) >= 2:
print(
f"{username} already has 2 keys. You must delete a key before you can create another key."
)
return
access_key_metadata = iam_client.create_access_key(UserName=username)[
"AccessKey"
]
access_key = access_key_metadata["AccessKeyId"]
secret_key = access_key_metadata["SecretAccessKey"]
print(
f"Your new access key is {access_key} and your new secret key is {secret_key}"
)
except ClientError as e:
print(f"Failed to create access key for {username}: {e}")
def disable_key(access_key, username):
try:
answer = input(f"Do you want to disable the access key {access_key}? [y/N] ")
if answer.lower() == "y":
iam_client.update_access_key(
UserName=username, AccessKeyId=access_key, Status="Inactive"
)
print(f"{access_key} has been disabled.")
else:
print("Aborting.")
except ClientError as e:
print(f"Failed to disable access key {access_key}: {e}")
def delete_key(access_key, username):
try:
answer = input(f"Do you want to delete the access key {access_key}? [y/N] ")
if answer.lower() == "y":
iam_client.delete_access_key(UserName=username, AccessKeyId=access_key)
print(f"{access_key} has been deleted.")
else:
print("Aborting.")
except ClientError as e:
print(f"Failed to delete access key {access_key}: {e}")
try:
keys = iam_client.list_access_keys(UserName=username)["AccessKeyMetadata"]
inactive_keys = sum(1 for key in keys if key["Status"] == "Inactive")
active_keys = sum(1 for key in keys if key["Status"] == "Active")
print(f"{username} has {inactive_keys} inactive keys and {active_keys} active keys")
if args.disable:
disable_key(aws_access_key, username)
elif args.delete:
delete_key(aws_access_key, username)
else:
create_key(username)
except ClientError as e:
print(f"Failed to list access keys for {username}: {e}")