finally moved these over from gogs-backup
This commit is contained in:
parent
0dd0523986
commit
0aa7714de6
11
README.md
11
README.md
@ -1,3 +1,10 @@
|
||||
# aws-utils
|
||||
### AWS Tools
|
||||
|
||||
#### rotate-keys
|
||||
rotates the aws keys and updates the ~/.aws/credentials file with the new values
|
||||
|
||||
suggestions for features:
|
||||
* option to delete the old key when only one key is found
|
||||
* create an encrypted credentials file and commit to a repository
|
||||
* make it run as a daemon with a value to rotate the keys based on a schedule
|
||||
|
||||
scripts to my aws life easier
|
||||
0
__init__.py
Normal file
0
__init__.py
Normal file
176
rotate-keys
Executable file
176
rotate-keys
Executable file
@ -0,0 +1,176 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import logging
|
||||
import sys
|
||||
import argparse
|
||||
import boto3
|
||||
import configparser
|
||||
import os
|
||||
import datetime
|
||||
import dateutil
|
||||
|
||||
|
||||
_format = "%(asctime)-15s %(levelname)-8s :%(lineno)d: %(name)s.%(funcName)s - %(message)s"
|
||||
_level = logging.INFO
|
||||
logging.basicConfig(stream=sys.stdout, format=_format)
|
||||
LOG = logging.getLogger()
|
||||
LOG.setLevel(_level)
|
||||
|
||||
# set boto logging higher to avoid chatty logging
|
||||
logging.getLogger('botocore').setLevel(logging.WARNING)
|
||||
|
||||
|
||||
def parse_args():
|
||||
argp = argparse.ArgumentParser()
|
||||
argp.add_argument('-d', '--debug', action='store_true', help="Run in debug mode")
|
||||
argp.add_argument('-u', '--user', required=True, help="AWS username")
|
||||
argp.add_argument('-p', '--profile-name', default="default", help="""Profile name in credentials file (default is "default")""")
|
||||
argp.add_argument('-c', '--credentials-file', default="~/.aws/credentials",
|
||||
help="Name of AWS credentials file (default is ~/.aws/credentials)")
|
||||
argp.add_argument('--set-default', action='store_true', help="Set the new key as the default value as well as the specified profile")
|
||||
|
||||
return argp.parse_args()
|
||||
|
||||
|
||||
def delete_oldest_key(iam, user, user_keys):
|
||||
"""
|
||||
Finds the oldest AWS key for the user and deletes it.
|
||||
"""
|
||||
try:
|
||||
oldest_key = None
|
||||
right_now = datetime.datetime.utcnow()
|
||||
right_now = right_now.replace(tzinfo=dateutil.tz.tzutc())
|
||||
|
||||
for user_key in user_keys:
|
||||
delta = right_now - user_key['CreateDate']
|
||||
if not oldest_key or oldest_key < delta:
|
||||
oldest_key = delta
|
||||
old_access_key_id = user_key['AccessKeyId']
|
||||
|
||||
iam.delete_access_key(UserName=user, AccessKeyId=old_access_key_id)
|
||||
success_status = True
|
||||
|
||||
except Exception as err:
|
||||
success_status = False
|
||||
LOG.error(err)
|
||||
print("Not able to delete the oldest key")
|
||||
print(err)
|
||||
|
||||
return success_status
|
||||
|
||||
|
||||
def create_new_key(iam, user):
|
||||
"""
|
||||
Creates a new AWS access key for the user.
|
||||
"""
|
||||
new_key = None
|
||||
|
||||
try:
|
||||
new_key = iam.create_access_key(UserName=user)
|
||||
|
||||
except Exception as err:
|
||||
LOG.error(err)
|
||||
LOG.debug(err.response)
|
||||
if 'Error' in err.response:
|
||||
print("Key not created")
|
||||
if err.response['Error']['Code'] == 'LimitExceeded':
|
||||
print("User {} already has the maximum number of keys".format(user))
|
||||
|
||||
return new_key
|
||||
|
||||
|
||||
def rotate_key(session, user):
|
||||
"""
|
||||
Creates a new access key. If key limit is already met, the older key will be removed
|
||||
in favor of the new key.
|
||||
"""
|
||||
iam = session.client('iam')
|
||||
|
||||
LOG.debug("Getting user key limit for account...")
|
||||
key_limit = iam.get_account_summary()['SummaryMap']['AccessKeysPerUserQuota']
|
||||
|
||||
LOG.debug("User key limit: {}".format(key_limit))
|
||||
|
||||
LOG.debug("Getting user's keys...")
|
||||
user_keys = iam.list_access_keys()['AccessKeyMetadata']
|
||||
|
||||
LOG.debug("Found {} keys for user {}".format(len(user_keys), user))
|
||||
|
||||
LOG.debug("Check to see if user has the limit of keys allowed...")
|
||||
if len(user_keys) == key_limit:
|
||||
delete_oldest_key(iam, user, user_keys)
|
||||
|
||||
new_key = create_new_key(iam, user)
|
||||
|
||||
return new_key
|
||||
|
||||
|
||||
def update_credentials_file(credentials_file, profile_name, key, set_default):
|
||||
"""
|
||||
Create or update the section with the new key information.
|
||||
"""
|
||||
LOG.debug("Updating credentials file...")
|
||||
credentials = configparser.ConfigParser()
|
||||
credentials.read(credentials_file)
|
||||
|
||||
LOG.debug("credentials = {}".format(credentials.sections()))
|
||||
|
||||
if not profile_name in credentials.sections():
|
||||
LOG.debug("Profile does not exist in credentials file; creating now...")
|
||||
credentials[profile_name] = {}
|
||||
|
||||
profile_creds = credentials[profile_name]
|
||||
profile_creds['aws_access_key_id'] = key['AccessKey']['AccessKeyId']
|
||||
profile_creds['aws_secret_access_key'] = key['AccessKey']['SecretAccessKey']
|
||||
|
||||
LOG.debug("Profile: {}, keys: {}, {}".format(profile_name, profile_creds['aws_access_key_id'], profile_creds['aws_secret_access_key']))
|
||||
LOG.debug("credentials = {}".format([x for x in credentials[profile_name]]))
|
||||
|
||||
# make the keys also be the default keys if the toggle is set
|
||||
if set_default:
|
||||
if not 'default' in credentials.sections():
|
||||
LOG.debug("Default profile does not exist; creating now...")
|
||||
credentials['default'] = {}
|
||||
|
||||
default_creds = credentials['default']
|
||||
default_creds['aws_access_key_id'] = key['AccessKey']['AccessKeyId']
|
||||
default_creds['aws_secret_access_key'] = key['AccessKey']['SecretAccessKey']
|
||||
|
||||
LOG.debug("Profile: default, keys: {}, {}".format(default_creds['aws_access_key_id'], default_creds['aws_secret_access_key']))
|
||||
LOG.debug("credentials = {}".format([x for x in credentials['default']]))
|
||||
|
||||
LOG.debug("Writing updated credentials file...")
|
||||
with open(credentials_file, 'w') as cred_file:
|
||||
credentials.write(cred_file)
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def main():
|
||||
args = parse_args()
|
||||
|
||||
if args.debug:
|
||||
LOG.setLevel(logging.DEBUG)
|
||||
logging.getLogger('botocore').setLevel(logging.WARNING)
|
||||
|
||||
LOG.debug("Getting AWS session and credentials for {}...".format(args.profile_name))
|
||||
session = boto3.session.Session(region_name='us-east-1', profile_name=args.profile_name)
|
||||
credentials = session.get_credentials()
|
||||
|
||||
credentials_file = os.path.expanduser(args.credentials_file)
|
||||
LOG.debug("credentials_file = {}".format(credentials_file))
|
||||
|
||||
print("Generating new AWS keys for user {}...".format(args.user))
|
||||
new_key = rotate_key(session, args.user)
|
||||
|
||||
if new_key:
|
||||
update_credentials_file(credentials_file, args.profile_name, new_key, args.set_default)
|
||||
print("Key rotated and credentials file updated")
|
||||
else:
|
||||
print("No new key available to update credentials file")
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user