As a security best practice, AWS recommends that users periodically regenerate their API access keys. This tool simplifies the rotation of access keys defined in your credentials file.
When run, the program will list the current access keys associated with your IAM user, and print the steps it has to perform to rotate them. It will then wait for your confirmation before continuing.
$ aws-rotate-key --help
Usage of aws-rotate-key:
-auth-profile string
Use a different profile when calling AWS.
-d Delete the old key instead of deactivating it.
-mfa
Use MFA.
-mfa-serial-number string
Specify the MFA device to use. (optional)
-profile string
The profile to use. (default "default")
-version
Print version number
-y Automatic "yes" to prompts.
$ aws-rotate-key --profile work
Using access key AKIAJMIGD6UPCXCFWVOA from profile "work".
Your user ARN is: arn:aws:iam::123456789012:user/your_username
Your user has 2 access keys:
- AKIAI3KI7UC6BPI4O57A (Inactive, created 2018-11-22 21:47:46 +0000 UTC, last used 2018-11-30 20:35:41 +0000 UTC for service s3 in us-west-2)
- AKIAJMIGD6UPCXCFWVOA (Active, created 2018-11-30 21:55:57 +0000 UTC, last used 2018-12-20 12:14:10 +0000 UTC for service s3 in us-west-2)
You have two access keys, which is the maximum number of access keys allowed.
Do you want to delete AKIAI3KI7UC6BPI4O57A and create a new key? [yN] y
Deleted access key: AKIAI3KI7UC6BPI4O57A
Created access key: AKIAIX46CKYT7E5I3KVQ
Wrote new key pair to /Users/your_username/.aws/credentials
Deactivated old access key: AKIAJMIGD6UPCXCFWVOA
Please make sure this key is not used elsewhere.
Please note that it may take a minute for your new access key to propagate in the AWS control plane.
You can download binaries from the releases section.
You can use Homebrew to install on macOS:
brew install aws-rotate-keyYou can install using a PPA on Ubuntu Linux:
sudo add-apt-repository ppa:stefansundin/aws-rotate-key
sudo apt install aws-rotate-keyIf you have Go installed then you can download and build the program using:
go install github.com/stefansundin/aws-rotate-key@latestMake sure your users have permissions to update their own access keys. The following AWS documentation page explains the required permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html.
The following IAM policy is enough for aws-rotate-key:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:DeleteAccessKey",
"iam:CreateAccessKey",
"iam:UpdateAccessKey"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
}
]
}Warning
Replace AWS_ACCOUNT_ID with your AWS account id.
You can require MFA by adding a Condition clause. Please note that you
have to use the -mfa option when running the program.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"iam:DeleteAccessKey",
"iam:CreateAccessKey",
"iam:UpdateAccessKey"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
}
]
}Note that this makes it harder to rotate access keys using aws-cli commands, as it only supports MFA when assuming roles. You will still be able to use the AWS management console.
To download and hack on the source code, run:
git clone https://github.com/stefansundin/aws-rotate-key.git
cd aws-rotate-key
go build
