added aws_iam_replace_access_key.sh
parent
32e3c5fa88
commit
826e071c17
@ -0,0 +1,106 @@
|
||||
#!/usr/bin/env bash
|
||||
# vim:ts=4:sts=4:sw=4:et
|
||||
#
|
||||
# Author: Hari Sekhon
|
||||
# Date: 2021-12-13 22:40:11 +0000 (Mon, 13 Dec 2021)
|
||||
#
|
||||
# https://github.com/HariSekhon/bash-tools
|
||||
#
|
||||
# License: see accompanying Hari Sekhon LICENSE file
|
||||
#
|
||||
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
||||
#
|
||||
# https://www.linkedin.com/in/HariSekhon
|
||||
#
|
||||
|
||||
set -euo pipefail
|
||||
[ -n "${DEBUG:-}" ] && set -x
|
||||
srcdir="$(dirname "${BASH_SOURCE[0]}")"
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
. "$srcdir/lib/aws.sh"
|
||||
|
||||
# shellcheck disable=SC2034,SC2154
|
||||
usage_description="
|
||||
Creates a new IAM access key for the currently authenticated user, outputting the keys as export commands
|
||||
|
||||
If 2 keys already exist, decide which key to replace using these heuristics in this order of preference:
|
||||
|
||||
- inactive key
|
||||
- unused key
|
||||
- oldest usage (ie. not the key we're currently using to authenticate)
|
||||
|
||||
Alterantively you can specify an access key id to delete as an argument, but if there is only 1 access key it won't delete it for safety (will output warning)
|
||||
|
||||
|
||||
$usage_aws_cli_required
|
||||
"
|
||||
|
||||
# used by usage() in lib/utils.sh
|
||||
# shellcheck disable=SC2034
|
||||
usage_args="[<aws_access_key_id>]"
|
||||
|
||||
help_usage "$@"
|
||||
|
||||
#min_args 1 "$@"
|
||||
|
||||
access_key_id_to_delete="${1:-}"
|
||||
|
||||
export AWS_DEFAULT_OUTPUT=json
|
||||
|
||||
keys="$(aws iam list-access-keys)"
|
||||
|
||||
num_keys="$(jq -r '.AccessKeyMetadata | length' <<< "$keys")"
|
||||
if ! [[ "$num_keys" =~ ^[[:digit:]]+$ ]]; then
|
||||
die "Failed to determine number of AWS access keys"
|
||||
fi
|
||||
|
||||
# Limited to 2 access keys
|
||||
if [ "$num_keys" -gt 2 ]; then
|
||||
die "More than 2 access keys found - code error or AWS has changed the limitations, which affects this logic and requires a code update"
|
||||
elif [ "$num_keys" -eq 2 ]; then
|
||||
if [ -z "$access_key_id_to_delete" ]; then
|
||||
# figure out which one to delete
|
||||
access_key_ids="$(jq -r '.AccessKeyMetadata[].AccessKeyId' <<< "$keys")"
|
||||
last_key_last_used_date=""
|
||||
for access_key_id in $access_key_ids; do
|
||||
key_status="$(jq -r ".AccessKeyMetadata[] | select(.AccessKeyId == \"$access_key_id\") | .Status" <<< "$keys")"
|
||||
if [ "$key_status" = "Inactive" ]; then
|
||||
access_key_id_to_delete="$access_key_id"
|
||||
break
|
||||
fi
|
||||
last_used_date="$(aws iam get-access-key-last-used --access-key-id "$access_key_id" |
|
||||
jq -r '.AccessKeyLastUsed.LastUsedDate')"
|
||||
if [ "$last_used_date" = null ]; then
|
||||
access_key_id_to_delete="$access_key_id"
|
||||
break
|
||||
fi
|
||||
# XXX: Ugly, improve logic here
|
||||
if [ -n "$last_key_last_used_date" ]; then
|
||||
# convert both last used to epoch, smaller number is older
|
||||
if [ "$(date '+%s' --date "$last_used_date")" -le "$(date '+%s' --date "$last_key_last_used_date")" ]; then
|
||||
access_key_id_to_delete="$access_key_id"
|
||||
else
|
||||
# first key must be older
|
||||
access_key_id_to_delete="$(jq -r '.AccessKeyMetadata[0].AccessKeyId' <<< "$keys")"
|
||||
fi
|
||||
break
|
||||
fi
|
||||
last_key_last_used_date="$last_used_date"
|
||||
done
|
||||
fi
|
||||
if [ -z "$access_key_id_to_delete" ]; then
|
||||
die "Couldn't determine which access key to delete, aborting..."
|
||||
fi
|
||||
timestamp "Deleting AWS access key '$access_key_id_to_delete'"
|
||||
#aws iam update-access-key --access-key-id "$access_key_id_to_delete" --status Inactive
|
||||
aws iam delete-access-key --access-key-id "$access_key_id_to_delete"
|
||||
echo >&2
|
||||
fi
|
||||
|
||||
aws iam create-access-key |
|
||||
jq -r '
|
||||
.AccessKey |
|
||||
[ "export AWS_ACCESS_KEY_ID=" + .AccessKeyId, "export AWS_SECRET_ACCESS_KEY=" + .SecretAccessKey ] |
|
||||
join("\n")
|
||||
'
|
Loading…
Reference in New Issue