automated rotation for iam machine account programmatic credentials
Project description
iam-credential-rotation
Command line tool for automated rotation of AWS IAM machine-user credentials, following a CURRENT/LAST two-key pattern.
Rotating credentials usually means deleting the existing credentials and then generating new ones. But what happens if you delete an existing set of credentials while there is a current automated job or pipeline running?
When the machine account has two sets of credentials, with the most recent set being the credentials available in the secrets store (which is where automated jobs fetch credentials when they start). You can confidently delete the older of the two credentials, generate new credentials, and update the secrets store with the new, with no fear of causing any system failure. Both the new credentials and the prior credentials used by any jobs still in flight will remain valid until the next rotation. By setting a rotation window at 1/2 (or less) the desired time period then both keys are replaced within the period. Additional discussion.
Install
pip install iam-credential-rotation
Usage
Usage: iam-credential-rotation [OPTIONS] PATH
For machine account AWS IAM Users on PATH, perform credential rotation using
CURRENT/LAST two-key pattern. Outputs list of updated users/credentials for
processing and storage in secure location.
Options:
-o, --outfile TEXT Write results to TEXT file
--version Show the version and exit.
--help Show this message and exit.
For example:
If machine users are stored on the path users/PSKServiceAccounts/ then the following will rotate each of the IAM Users on that path. Note that the actual output does not obfuscate the credential information. In normal use, a pipeline or other automated job that performs this rotation would parse the output and write the new credentials into a Secrets store.
$ iam-credential-rotation PSKServiceAccounts
{
"PSKNonprodServiceAccount": {
"AccessKeyId": "AKIARKL**************",
"SecretAccessKey": "bCFqIBZUo****************************"
},
"PSKProdServiceAccount": {
"AccessKeyId": "AKIARKLI**************",
"SecretAccessKey": "cVSkOhunYxS****************************"
}
}
Development
The pipeline uses requirements.txt but there is also a Pipfile if you prefer pipenv for local development.
Pipenv setup
echo '3.11.3' > .python-version # using pyenv for version selection
pipenv --python 3.11 # pipenv creates the virtual env
pipenv shell
pipenv install --dev
For the build pipeline, the packages build dependencies are also maintained in a requirements.txt file since (currently) the generic python build environment already exists on the build executor.
Run unit tests
PYTHONPATH=.:./src coverage run -m pytest -vv -l
coverage report
build
python -m build
install locally during development
pip install --editable .
** check setuptools-scm dynamic version**
python -m setuptools_scm
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for iam-credential-rotation-0.2.2.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e694811e3c66d1afcc8a06afd232fc1c16e469c756f6dd3c3b727588463b45de |
|
| MD5 | 809d31df948c782cca2ecf155b83d511 |
|
| BLAKE2b-256 | a2d793b14ce10f5a6c12ee71830705c8b06f6a4d5df092de21e73728328a66fd |
Hashes for iam_credential_rotation-0.2.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 0526bbfa599ac4b554b0dbbd425e1b70eaa005f8e5aadd97a32d2251e214cd15 |
|
| MD5 | bf9957b5f3cca4b2cb961ca07a13c235 |
|
| BLAKE2b-256 | d2d5117b737c15c0df37f3740d7e1eb7c1e22af4fa5dd667d25c7a43b4044ce1 |
