AwsRotate

Rotates your AWS keys configured in ~/.aws/credentials.

Usage

aws-rotate list # list profiles in ~/.aws
aws-rotate key  # rotates single key. Uses AWS_PROFILE env var
aws-rotate keys # rotates **all** keys for all profiles in ~/.aws/credentials

aws-rotate keys

IMPORTANT: The aws-rotate keys command will update all the profiles found in ~/.aws/credentials. You may want to run an --noop to first test. Example:

aws-rotate keys --noop

Example output:

$ aws-rotate keys
Backed up credentials file at: /home/ec2-user/.aws/credentials.bak-2019-08-14-16:45:36
Updating access key for AWS_PROFILE=profile1
Created new access key: AKIAXZ6ODJLQWYW3575A
Updated profile profile1 in /home/ec2-user/.aws/credentials with new key: AKIAXZ6ODJLQWYW3575A
Old access key deleted: AKIAXZ6ODJLQ3Q5TJUHN
Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable.
Updating access key for AWS_PROFILE=default
Updated profile default in /home/ec2-user/.aws/credentials with new key: AKIAXZ6ODJLQWYW3575A
Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable.
$

select filter option

If you would like to selectively update profiles, you can use the --select option. The -s option is also shorthand for the --select option. Example:

aws-rotate keys --select dev-

The --select dev- results in only profiles with the dev- found in the profile name to be updated. Example:

~/.aws/credentials:

[my-dev-account1]
aws_access_key_id=EXAMPLE1
aws_secret_access_key=EXAMPLE1

[my-dev-account2]
aws_access_key_id=EXAMPLE2
aws_secret_access_key=EXAMPLE2

[my-prod-account]
aws_access_key_id=EXAMPLE3
aws_secret_access_key=EXAMPLE3

Will only update my-dev-account1 and my-dev-account1, since they both include the dev- pattern.

The select option can take multiple selects. Example:

aws-rotate keys --select dev- test-

Also, the select option is internally converted to an ruby regexp. So you can use patterns. Example:

aws-rotate keys --select ^dev-

In this case the match is stricter and must start with "dev"

reject filter option

There is also a --reject and -r option that does the opposite of the --select option.

aws-rotate keys --reject ^prod-

Will rotate all profiles that do not match ^prod-.

You can use both --select and --reject options together.

Backups

A backup of your ~/.aws/credentials file is taken and stored in ~/.aws/credentials-bak-[timestamp] before it is updated. However, please take precaution and take your own backup measures. You can also disable backups with the --no-backup option.

Assume Roles

Note: assumed role profiles are skipped as they don't have access keys.

Automatically Updating with Cron

You can add a crontab to your system to automatically rotate the keys:

crontab -e

You can add something like this:

30 20 * * * bash -l -c 'aws-rotate keys --select dev-aws-profile test-aws-profile --no-backup >> /var/log/cron-aws-rotate.log 2>&1' # rotate AWS keys daily

Create a /var/log/cron-aws-rotate.log that is writable with your user:

sudo touch /var/log/cron-aws-rotate.log
sudo chown `whoami`:`whoami` /var/log/cron-aws-rotate.log

Installation

You can install the tool with:

gem install aws-rotate

Requirements

The aws cli is use to set the access keys and is required.

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am "Add some feature")
Push to the branch (git push origin my-new-feature)
Create new Pull Request

aws-rotate

Development

Runtime