Created
January 5, 2016 10:26
-
-
Save Sinnohd/ccdae2738ded2233edb2 to your computer and use it in GitHub Desktop.
Script to rotate AWS keys and replace them in .boto and .aws/config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import boto.iam, boto.exception | |
| import argparse, os | |
| import ConfigParser | |
| parser = argparse.ArgumentParser(description="Rotate Access Keys.") | |
| parser.add_argument( | |
| "-p", | |
| "--profile", | |
| help="The profile to rotate the key for." | |
| ) | |
| args = parser.parse_args() | |
| if args.profile != None: | |
| profile = 'profile '+args.profile | |
| iam = boto.iam.connection.IAMConnection(profile_name=args.profile) | |
| else: | |
| profile = 'Credentials' | |
| iam = boto.iam.connection.IAMConnection() | |
| config = ConfigParser.RawConfigParser(allow_no_value=True) | |
| config.read(os.path.expanduser('~/.boto')) | |
| aws_access_key_id = config.get(profile,'aws_access_key_id') | |
| aws_secret_access_key = config.get(profile,'aws_secret_access_key') | |
| rawconfig = open(os.path.expanduser('~/.boto')) | |
| b = rawconfig.read() | |
| try: | |
| user = iam.get_user() | |
| response = iam.create_access_key(user_name=user['get_user_response']['get_user_result']['user']['user_name']) | |
| except boto.exception.BotoServerError as e: | |
| print "Cannot create new keys: %s" % e | |
| raise | |
| access_key = response['create_access_key_response']['create_access_key_result']['access_key'] | |
| print """Access Key: %s | |
| Secret Key: %s""" % ( | |
| access_key['access_key_id'], | |
| access_key['secret_access_key'] | |
| ) | |
| # Update .boto configuration file. | |
| ans = raw_input("Update .boto configuration file? (yes/no) ") | |
| if ans == "yes": | |
| b = b.replace(aws_access_key_id, access_key['access_key_id']) | |
| b = b.replace(aws_secret_access_key, access_key['secret_access_key']) | |
| bf=open(os.path.expanduser('~/.boto'), 'w') | |
| bf.write(b) | |
| bf.flush() | |
| bf.close() | |
| else: | |
| print "Warning: your old access key is still in .boto configuration. Be sure to clean up the mess." | |
| # Update .aws/config file | |
| ans1 = raw_input("Update .aws/config configuration file? (yes/no) ") | |
| if ans1 == "yes": | |
| rawconfig = open(os.path.expanduser('~/.aws/config')) | |
| c = rawconfig.read() | |
| c = c.replace(aws_access_key_id, access_key['access_key_id']) | |
| c = c.replace(aws_secret_access_key, access_key['secret_access_key']) | |
| cf=open(os.path.expanduser('~/.aws/config'), 'w') | |
| cf.write(c) | |
| cf.flush() | |
| cf.close() | |
| else: | |
| print "Warning: your old access key is still in .aws/config configuration. Be sure to clean up the mess." | |
| # Remove old access key from AWS | |
| ans2 = raw_input("Ready to delete old access key %s? (yes/no) " % aws_access_key_id) | |
| if ans2 == "yes": | |
| try: | |
| iam.delete_access_key(aws_access_key_id) | |
| except boto.exception.BotoServerError as e: | |
| print "Cannot remove old key: %s" % e | |
| raise | |
| else: | |
| print "Warning: your old access key was kept. Be sure to clean up the mess." | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment