177 lines
5.8 KiB
Plaintext
177 lines
5.8 KiB
Plaintext
|
#!/usr/bin/env python3
|
||
|
|
||
|
import logging
|
||
|
import sys
|
||
|
import argparse
|
||
|
import boto3
|
||
|
import configparser
|
||
|
import os
|
||
|
import datetime
|
||
|
import dateutil
|
||
|
|
||
|
|
||
|
_format = "%(asctime)-15s %(levelname)-8s :%(lineno)d: %(name)s.%(funcName)s - %(message)s"
|
||
|
_level = logging.INFO
|
||
|
logging.basicConfig(stream=sys.stdout, format=_format)
|
||
|
LOG = logging.getLogger()
|
||
|
LOG.setLevel(_level)
|
||
|
|
||
|
# set boto logging higher to avoid chatty logging
|
||
|
logging.getLogger('botocore').setLevel(logging.WARNING)
|
||
|
|
||
|
|
||
|
def parse_args():
|
||
|
argp = argparse.ArgumentParser()
|
||
|
argp.add_argument('-d', '--debug', action='store_true', help="Run in debug mode")
|
||
|
argp.add_argument('-u', '--user', required=True, help="AWS username")
|
||
|
argp.add_argument('-p', '--profile-name', default="default", help="""Profile name in credentials file (default is "default")""")
|
||
|
argp.add_argument('-c', '--credentials-file', default="~/.aws/credentials",
|
||
|
help="Name of AWS credentials file (default is ~/.aws/credentials)")
|
||
|
argp.add_argument('--set-default', action='store_true', help="Set the new key as the default value as well as the specified profile")
|
||
|
|
||
|
return argp.parse_args()
|
||
|
|
||
|
|
||
|
def delete_oldest_key(iam, user, user_keys):
|
||
|
"""
|
||
|
Finds the oldest AWS key for the user and deletes it.
|
||
|
"""
|
||
|
try:
|
||
|
oldest_key = None
|
||
|
right_now = datetime.datetime.utcnow()
|
||
|
right_now = right_now.replace(tzinfo=dateutil.tz.tzutc())
|
||
|
|
||
|
for user_key in user_keys:
|
||
|
delta = right_now - user_key['CreateDate']
|
||
|
if not oldest_key or oldest_key < delta:
|
||
|
oldest_key = delta
|
||
|
old_access_key_id = user_key['AccessKeyId']
|
||
|
|
||
|
iam.delete_access_key(UserName=user, AccessKeyId=old_access_key_id)
|
||
|
success_status = True
|
||
|
|
||
|
except Exception as err:
|
||
|
success_status = False
|
||
|
LOG.error(err)
|
||
|
print("Not able to delete the oldest key")
|
||
|
print(err)
|
||
|
|
||
|
return success_status
|
||
|
|
||
|
|
||
|
def create_new_key(iam, user):
|
||
|
"""
|
||
|
Creates a new AWS access key for the user.
|
||
|
"""
|
||
|
new_key = None
|
||
|
|
||
|
try:
|
||
|
new_key = iam.create_access_key(UserName=user)
|
||
|
|
||
|
except Exception as err:
|
||
|
LOG.error(err)
|
||
|
LOG.debug(err.response)
|
||
|
if 'Error' in err.response:
|
||
|
print("Key not created")
|
||
|
if err.response['Error']['Code'] == 'LimitExceeded':
|
||
|
print("User {} already has the maximum number of keys".format(user))
|
||
|
|
||
|
return new_key
|
||
|
|
||
|
|
||
|
def rotate_key(session, user):
|
||
|
"""
|
||
|
Creates a new access key. If key limit is already met, the older key will be removed
|
||
|
in favor of the new key.
|
||
|
"""
|
||
|
iam = session.client('iam')
|
||
|
|
||
|
LOG.debug("Getting user key limit for account...")
|
||
|
key_limit = iam.get_account_summary()['SummaryMap']['AccessKeysPerUserQuota']
|
||
|
|
||
|
LOG.debug("User key limit: {}".format(key_limit))
|
||
|
|
||
|
LOG.debug("Getting user's keys...")
|
||
|
user_keys = iam.list_access_keys()['AccessKeyMetadata']
|
||
|
|
||
|
LOG.debug("Found {} keys for user {}".format(len(user_keys), user))
|
||
|
|
||
|
LOG.debug("Check to see if user has the limit of keys allowed...")
|
||
|
if len(user_keys) == key_limit:
|
||
|
delete_oldest_key(iam, user, user_keys)
|
||
|
|
||
|
new_key = create_new_key(iam, user)
|
||
|
|
||
|
return new_key
|
||
|
|
||
|
|
||
|
def update_credentials_file(credentials_file, profile_name, key, set_default):
|
||
|
"""
|
||
|
Create or update the section with the new key information.
|
||
|
"""
|
||
|
LOG.debug("Updating credentials file...")
|
||
|
credentials = configparser.ConfigParser()
|
||
|
credentials.read(credentials_file)
|
||
|
|
||
|
LOG.debug("credentials = {}".format(credentials.sections()))
|
||
|
|
||
|
if not profile_name in credentials.sections():
|
||
|
LOG.debug("Profile does not exist in credentials file; creating now...")
|
||
|
credentials[profile_name] = {}
|
||
|
|
||
|
profile_creds = credentials[profile_name]
|
||
|
profile_creds['aws_access_key_id'] = key['AccessKey']['AccessKeyId']
|
||
|
profile_creds['aws_secret_access_key'] = key['AccessKey']['SecretAccessKey']
|
||
|
|
||
|
LOG.debug("Profile: {}, keys: {}, {}".format(profile_name, profile_creds['aws_access_key_id'], profile_creds['aws_secret_access_key']))
|
||
|
LOG.debug("credentials = {}".format([x for x in credentials[profile_name]]))
|
||
|
|
||
|
# make the keys also be the default keys if the toggle is set
|
||
|
if set_default:
|
||
|
if not 'default' in credentials.sections():
|
||
|
LOG.debug("Default profile does not exist; creating now...")
|
||
|
credentials['default'] = {}
|
||
|
|
||
|
default_creds = credentials['default']
|
||
|
default_creds['aws_access_key_id'] = key['AccessKey']['AccessKeyId']
|
||
|
default_creds['aws_secret_access_key'] = key['AccessKey']['SecretAccessKey']
|
||
|
|
||
|
LOG.debug("Profile: default, keys: {}, {}".format(default_creds['aws_access_key_id'], default_creds['aws_secret_access_key']))
|
||
|
LOG.debug("credentials = {}".format([x for x in credentials['default']]))
|
||
|
|
||
|
LOG.debug("Writing updated credentials file...")
|
||
|
with open(credentials_file, 'w') as cred_file:
|
||
|
credentials.write(cred_file)
|
||
|
|
||
|
return True
|
||
|
|
||
|
|
||
|
def main():
|
||
|
args = parse_args()
|
||
|
|
||
|
if args.debug:
|
||
|
LOG.setLevel(logging.DEBUG)
|
||
|
logging.getLogger('botocore').setLevel(logging.WARNING)
|
||
|
|
||
|
LOG.debug("Getting AWS session and credentials for {}...".format(args.profile_name))
|
||
|
session = boto3.session.Session(region_name='us-east-1', profile_name=args.profile_name)
|
||
|
credentials = session.get_credentials()
|
||
|
|
||
|
credentials_file = os.path.expanduser(args.credentials_file)
|
||
|
LOG.debug("credentials_file = {}".format(credentials_file))
|
||
|
|
||
|
print("Generating new AWS keys for user {}...".format(args.user))
|
||
|
new_key = rotate_key(session, args.user)
|
||
|
|
||
|
if new_key:
|
||
|
update_credentials_file(credentials_file, args.profile_name, new_key, args.set_default)
|
||
|
print("Key rotated and credentials file updated")
|
||
|
else:
|
||
|
print("No new key available to update credentials file")
|
||
|
|
||
|
|
||
|
|
||
|
if __name__ == "__main__":
|
||
|
main()
|
||
|
|