aws-rotate-keys/orb.yml

version: 2.1
description: An orb to rotate AWS keys

orbs:
  aws-cli: circleci/aws-cli@2.0.3

executors:
  default: aws-cli/default

commands:
  rotate:
    description: Rotate aws keys
    parameters:
      aws-username:
        type: string
        description: The name of the user whose keys we are updating
      circleci-token:
        type: string
        description: The circleci API token
      aws-access-key-id-var:
        type: string
        description: |
          Set this to the name of the CircleCI environment variable
          you will use to hold this value, i.e. AWS_ACCESS_KEY_ID.
        default: AWS_ACCESS_KEY_ID
      aws-secret-access-key-var:
        type: string
        description: |
          Set this to the name of the CircleCI environment variable
          you will use to hold this value, i.e. AWS_SECRET_ACCESS_KEY.
        default: AWS_SECRET_ACCESS_KEY
    steps:
        # This step only installs the cli if it is missing from the $PATH
      - aws-cli/install
      - run:
          name: Rotate AWS keys
          command: |
            # Assumes that AWS credentials have already been configured
            old_access_key_id=`aws iam list-access-keys --user-name << parameters.aws-username >> --query 'AccessKeyMetadata[0].AccessKeyId' --output text` &&
            create_access_key_output=`aws iam create-access-key --user-name << parameters.aws-username >>` &&
            new_access_key_id=`echo $create_access_key_output | jq -r -e '.AccessKey.AccessKeyId'` &&
            new_secret_access_key=`echo $create_access_key_output | jq -r -e '.AccessKey.SecretAccessKey'` &&
            curl --fail https://circleci.com/api/v1.1/project/github/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/envvar?circle-token=<< parameters.circleci-token >> \
              -X POST --header "Content-Type: application/json" \
              -d "{ \"name\":\"<< parameters.aws-access-key-id-var >>\", \"value\":\"${new_access_key_id}\" }" &&
            curl --fail https://circleci.com/api/v1.1/project/github/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/envvar?circle-token=<< parameters.circleci-token >> \
              -X POST --header "Content-Type: application/json" \
              -d "{ \"name\":\"<< parameters.aws-secret-access-key-var >>\", \"value\":\"${new_secret_access_key}\" }" &&
            aws iam delete-access-key --user-name << parameters.aws-username >> --access-key-id ${old_access_key_id} &&
            echo &&
            # Although the new token is visible on the aws API, aws does not accept it
            # for authentication immediately.
            AWS_ACCESS_KEY_ID=$new_access_key_id &&
            AWS_SECRET_ACCESS_KEY=$new_secret_access_key &&
            echo Testing new token... &&
            while true; do
              aws iam list-access-keys \
                --user-name << parameters.aws-username >> \
                --query 'AccessKeyMetadata[0].AccessKeyId' \
                --output text 2>&1 >/dev/null && break
              echo New token not usable yet, retrying in 10 seconds...
              sleep 10
            done &&
            echo SUCCESS: New token ready to use.