AWS CLI Key Rotation Script for IAM Users revisited

In April of this year I published a Bash script for rotating the default AWS API keys configured in `~/.aws/credentials` file. Now I have improved on the original script, adding the following functionality:

  • The script is now fully interactive, and supports multiple profiles. It was an interactive script before, potentially requiring user input during its run, and as such was intended for manual execution. Now the script presents a list of configured profiles from which you can choose a profile whose keys you want to rotate.
  • The script works with Multi-Factor Authentication. At work we have been moving increasingly to MFA/2FA, and have also started enforcing MFA use from the users (this policy works great for that purpose). Since MFA enforcement for AWS console and for the CLI API cannot be separated for a given IAM user for the most part (since the console is just a GUI for the API), there had to be a solution for relatively convenient use of MFA on the command line. My second script (more detail in the next post) offers that capability, and now the key rotation script is aware of it. If you’re rotating the keys for an IAM account whose MFA use is enforced, the script now detects an existing MFA profile (created by my CLI MFA script), and can use it to authorize key rotation for the base profile, which might otherwise not be authorized to execute the key rotation operation.
  • The listing of the configured profiles includes the current keys (two concurrent keys is the recommended maximum by policy), the ages of the keys, the actual IAM username (since the profile name is arbitrary, and as such can be set to anything), and the access status of the profile (‘OK’, or ‘LIMITED’; the latter is displayed when the profile doesn’t appear to have normal access during the query process — for example, it may result from MFA enforcement)
  • Many AWS errors are also masked and translated to more user-friendly outputs. If a profile doesn’t have a valid key, the script handles it gracefully and displays: “CHECK CREDENTIALS!” next to that profile (and obviously it cannot give more detail about such profile, or offer the option to rotate its keys).
  • The script was originally written for macOS, but it has now been tested on Ubuntu, and portability has been added (hence it likely works on other Linux distros as well).

The latest version of the aws-iam-rotate-keys.sh script is available from the same repository as before.