AWS CLI Key Rotation Script for IAM Users revisited

In April of this year I published a Bash script for rotating the default AWS API keys configured in `~/.aws/credentials` file. Now I have improved on the original script, adding the following functionality:

  • The script is now fully interactive, and supports multiple profiles. It was an interactive script before, potentially requiring user input during its run, and as such was intended for manual execution. Now the script presents a list of configured profiles from which you can choose a profile whose keys you want to rotate.
  • The script works with Multi-Factor Authentication. At work we have been moving increasingly to MFA/2FA, and have also started enforcing MFA use from the users (this policy works great for that purpose). Since MFA enforcement for AWS console and for the CLI API cannot be separated for a given IAM user for the most part (since the console is just a GUI for the API), there had to be a solution for relatively convenient use of MFA on the command line. My second script (more detail in the next post) offers that capability, and now the key rotation script is aware of it. If you’re rotating the keys for an IAM account whose MFA use is enforced, the script now detects an existing MFA profile (created by my CLI MFA script), and can use it to authorize key rotation for the base profile, which might otherwise not be authorized to execute the key rotation operation.
  • The listing of the configured profiles includes the current keys (two concurrent keys is the recommended maximum by policy), the ages of the keys, the actual IAM username (since the profile name is arbitrary, and as such can be set to anything), and the access status of the profile (‘OK’, or ‘LIMITED’; the latter is displayed when the profile doesn’t appear to have normal access during the query process — for example, it may result from MFA enforcement)
  • Many AWS errors are also masked and translated to more user-friendly outputs. If a profile doesn’t have a valid key, the script handles it gracefully and displays: “CHECK CREDENTIALS!” next to that profile (and obviously it cannot give more detail about such profile, or offer the option to rotate its keys).
  • The script was originally written for macOS, but it has now been tested on Ubuntu, and portability has been added (hence it likely works on other Linux distros as well).

The latest version of the aws-iam-rotate-keys.sh script is available from the same repository as before.

2 thoughts on “AWS CLI Key Rotation Script for IAM Users revisited”

  1. Hi,

    While the script works great, one issue I faced is it deletes both the acces keyID associated rather than the one selected. This can/will create problems where different accesskeyID are used to address different apps. How to mitigate this?

    1. Hi Amitabh!

      For the purpose the script was written it’s actually desired functionality. In case of the environment that I created the script for there is an effective IAM policy that allows maximum of two concurrent keys for a user. When the key rotation script starts, it doesn’t obviously delete the active key, and thus needs space to create the new key. Hence it prompts for, and upon approval deletes the inactive or older key. After that it proceeds to create the new key, and once its operability has been verified, it deletes the older key (as, again, the environment the script was built for, the user generally should have just one active key at the time although two concurrent keys are allowed).

      Therefore it sounds like for your use case some changes to the script would be required.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.