Skip to content

Instantly share code, notes, and snippets.

@OnlyInAmerica

OnlyInAmerica/find_iam_user.py

Created April 3, 2014 22:52
Show Gist options
  • Save OnlyInAmerica/9964456 to your computer and use it in GitHub Desktop.
Save OnlyInAmerica/9964456 to your computer and use it in GitHub Desktop.
Download ZIP
Find an AWS IAM user corresponding to an AWS Access Key
Raw
find_iam_user.py
# Find the IAM username belonging to the TARGET_ACCESS_KEY
# Useful for finding IAM user corresponding to a compromised AWS credential
# Requirements:
#
# Environmental variables:
# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# python:
# boto
import boto.iam
TARGET_ACCESS_KEY = 'TARGET_KEY'
iam = boto.connect_iam()
users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
def find_key():
for user in users:
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
aws_access_key = key_result['access_key_id']
if aws_access_key == TARGET_ACCESS_KEY:
print 'Target key belongs to:'
print 'user : ' + user['user_name']
return True
return False
if not find_key():
print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
@pavelch
Copy link

pavelch commented Mar 24, 2017

Thanks!

@andymotta
Copy link

Thanks for doing all the hard work. Adapted for boto3 (w/credit) here: https://gist.github.com/andymotta/9bb9b28da3816fbc469e9057435bf802

@root360-AndreasUlm
Copy link

Short enhancement by adding loop to run check for every configure AWS profile:

for profile in $(grep -F '[profi' .aws/config | cut -d' ' -f2 | cut -d']' -f1); do
    aws --profile "${profile}" --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --profile "${profile}" --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY
done

@robperc
Copy link

robperc commented Jun 24, 2017

Just a heads-up this can be done with a single call using the "get_access_key_last_used" method of the boto3 IAM client.

http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_access_key_last_used

@andymotta
Copy link

Updated with robperc's boto3 suggestion: https://gist.github.com/andymotta/9bb9b28da3816fbc469e9057435bf802#file-updated_find_user_from_access_key-py

@AnthonyWC
Copy link

For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID

@kavinda1995
Copy link

Nice. Alternatively, here is a way to do this with the aws CLI tools:

AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
aws --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY

If your personal access key (.aws/credentials) does not have iam premissions, the error will show the key owner's user name, which is nice.

This works perfectly. Thanks @axelabs

@pc-star
Copy link

pc-star commented Sep 30, 2019
edited
Loading

For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID

Thanks @AnthonyWC for that. it was all I needed 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment