A script to rotate IAM credentials of human beings.
- using a list of human beings,
$ ./generate-csv.sh
This will generate a set of CSV files using the results of the AWS credentials report.
The one we need is called humans.csv
and has just three columns: name
, iam-username
and email
.
This file is used to send emails to those users.
The name
and email
columns must be filled.
Copying the humans.csv
file from it-admin into private
will save some time filling in missing names and emails.
See example.csv
.
$ ./update-iam.sh csv-file
This generates a list of actions to be performed and writes the plan to $csvfile-report-$datestamp.json
.
For example, humans-report-2019-01-01.json
Review the actions to be taken.
Do not modify the file, it will be regenerated on execution. Instead, modify AWS IAM and humans.csv
if necessary and re-run update-iam.sh
.
When credentials must be rotated earlier than the default rotation age (180 days), specify a --max-key-age
.
For example, to rotate all credentials now, do:
$ ./update-iam.sh csv-file --max-key-age=0
To force the rotation of credentials that are mid-transition (the grace period hasn't expired yet and two sets of credentials exist), a shorter grace period can be set:
$ ./update-iam.sh csv-file --grace-period=0
$ ./update-iam.sh csv-file --execute
After execution a report will be written in the form of $csvfile-results-$datestamp.json
.
For example, humans-results-2019-01-01.json
update-iam-human
does not:
- notify a user when credentials are disabled
- delete the generated Github Gists as users update their credentials
- Github credentials to create a secret gist
- AWS credentials to list and update IAM users and send SES emails
Github credentials live in the file private.json
in the root of the project and look like:
{"key": "<your api token>"}
AWS Credentials are referenced from the usual places.
$ ./install.sh
$ ./test.sh