-
-
Save OnlyInAmerica/9964456 to your computer and use it in GitHub Desktop.
| # Find the IAM username belonging to the TARGET_ACCESS_KEY | |
| # Useful for finding IAM user corresponding to a compromised AWS credential | |
| # Requirements: | |
| # | |
| # Environmental variables: | |
| # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY | |
| # python: | |
| # boto | |
| import boto.iam | |
| TARGET_ACCESS_KEY = 'TARGET_KEY' | |
| iam = boto.connect_iam() | |
| users = iam.get_all_users('/')['list_users_response']['list_users_result']['users'] | |
| def find_key(): | |
| for user in users: | |
| for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']: | |
| aws_access_key = key_result['access_key_id'] | |
| if aws_access_key == TARGET_ACCESS_KEY: | |
| print 'Target key belongs to:' | |
| print 'user : ' + user['user_name'] | |
| return True | |
| return False | |
| if not find_key(): | |
| print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.' |
Nice. Alternatively, here is a way to do this with the aws CLI tools:
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
aws --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY
If your personal access key (.aws/credentials) does not have iam premissions, the error will show the key owner's user name, which is nice.
I know this dated, but this comes up as a top google search so figured it would be useful to add this here
You can use the IAM get-user call and avoid having to loop through users and their keys. You will either get the user information (and thus the ARN), or the error will specify the ARN (similar to the list-users).
By default the get-user will get the information for the keys used to connect.
aws iam get-user
A client error (AccessDenied) occurred when calling the GetUser operation: User: arn:aws:iam::account:user/username is not authorized to perform: iam:GetUser on resource: arn:aws:iam::account:user/username
or
{
"User": {
"UserName": "user",
"Path": "/",
"CreateDate": "date",
"UserId": "ID",
"Arn": "arn:aws:iam::account:user/username"
}
}
@mhoglan made my day, cause the script can't find non IAM account ;)
👍
Thanks!
Thanks for doing all the hard work. Adapted for boto3 (w/credit) here: https://gist.github.com/andymotta/9bb9b28da3816fbc469e9057435bf802
Short enhancement by adding loop to run check for every configure AWS profile:
for profile in $(grep -F '[profi' .aws/config | cut -d' ' -f2 | cut -d']' -f1); do
aws --profile "${profile}" --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --profile "${profile}" --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY
done
Just a heads-up this can be done with a single call using the "get_access_key_last_used" method of the boto3 IAM client.
Updated with robperc's boto3 suggestion: https://gist.github.com/andymotta/9bb9b28da3816fbc469e9057435bf802#file-updated_find_user_from_access_key-py
For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID
Nice. Alternatively, here is a way to do this with the aws CLI tools:
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE aws --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEYIf your personal access key (.aws/credentials) does not have iam premissions, the error will show the key owner's user name, which is nice.
This works perfectly. Thanks @axelabs
For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID
Thanks @AnthonyWC for that. it was all I needed 👍
👍
And thanks @ForestJay for your fork.