From 53b7e3d8e7d43d462b3d9fae795c5793f712ebee Mon Sep 17 00:00:00 2001 From: Stefan Sundin Date: Sat, 22 Dec 2018 14:01:48 -0800 Subject: [PATCH] Documentation updates. --- README.md | 72 +++++++++++++++++++++++-------------------------------- main.go | 3 ++- 2 files changed, 32 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 6153a59..59bc282 100644 --- a/README.md +++ b/README.md @@ -1,75 +1,63 @@ # aws-rotate-key -As a security best practice, AWS recommends that administrators require -IAM users to periodically [regenerate their API access keys](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey). -This `aws-rotate-key` tool allows users to easily rotate all of the AWS access keys defined in their local -[aws credentials file](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles). - -The program will use the AWS API to check which access keys exist -for the provided profile. If only one access key exists, then it will -deactivate that key and update your credentials file to use a newly -generated key. The old key will only be deactivated (**not** deleted), -so that if you later find out you use the old key elsewhere, you -can open the AWS console and reactivate it. If two access keys exist, -then you will be asked whether you want to delete the key which is -not currently configured in your credentials file to create an empty -slot for the key rotation. Then, it will perform the same key rotation -logic on the remaining key. +As a security best practice, AWS recommends that users periodically +[regenerate their API access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey). +This tool simplifies the rotation of access keys defined in your +[credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles). +When run, the program will list the current access keys associated with your +IAM user, and print the steps it has to perform to rotate them. +It will then wait for your confirmation before continuing. ## Usage -Usage of aws-rotate-key: + ``` +$ aws-rotate-key --help +Usage of aws-rotate-key: + -d Delete old key without deactivation. -profile string The profile to use. (default "default") -version - Print version number (1.0.4) - -y - Automatic "yes" to prompts. - -d - Delete old key without deactivation. - + Print version number + -y Automatic "yes" to prompts. ``` ## Example ``` -$ aws-rotate-key --profile primary -Using access key A123 from profile "primary". -Your user ARN is: arn:aws:iam::123456789012:user/someone +$ aws-rotate-key --profile work +Using access key AKIAJMIGD6UPCXCFWVOA from profile "work". +Your user ARN is: arn:aws:iam::123456789012:user/your_username You have 2 access keys associated with your user: -- A123 (Inactive, created 2015-01-01 02:55:00 +0000 UTC, last used 2016-01-01 00:02:00 +0000 UTC for service sts in us-east-1) -- B123 (Active, created 2016-01-01 00:02:47 +0000 UTC, last used 2016-01-01 00:03:00 +0000 UTC for service s3 in N/A) +- AKIAI3KI7UC6BPI4O57A (Inactive, created 2018-11-22 21:47:46 +0000 UTC, last used 2018-11-30 20:35:41 +0000 UTC for service s3 in us-west-2) +- AKIAJMIGD6UPCXCFWVOA (Active, created 2018-11-30 21:55:57 +0000 UTC, last used 2018-12-20 12:14:10 +0000 UTC for service s3 in us-west-2) You have two access keys, which is the max number of access keys. -Do you want to delete A123 and create a new key? [yN] y -Deleted access key A123. -Created access key C123. -Wrote new key pair to /Users/someone/.aws/credentials -Deactivated old access key B123. +Do you want to delete AKIAI3KI7UC6BPI4O57A and create a new key? [yN] y +Deleted access key AKIAI3KI7UC6BPI4O57A. +Created access key AKIAIX46CKYT7E5I3KVQ. +Wrote new key pair to /Users/your_username/.aws/credentials +Deactivated old access key AKIAJMIGD6UPCXCFWVOA. Please make sure this key is not used elsewhere. +Please note that it may take a minute for your new access key to propagate in the AWS control plane. ``` ## Install -You can download the 64-bit binaries from -[the releases section](https://github.com/Fullscreen/aws-rotate-key/releases/latest) -of this repository. +You can download binaries from [the releases section](https://github.com/Fullscreen/aws-rotate-key/releases/latest). -Or, you can use our homebrew tap on OSX: +You can also use our Homebrew tap on macOS: ``` -brew tap fullscreen/tap -brew install aws-rotate-key -aws-rotate-key +brew install fullscreen/tap/aws-rotate-key ``` ## Setup -Make sure your users have permissions to update their own access keys via the CLI. The AWS -documentation [here](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials) -explains the required permissions and the following IAM profile should get you setup: +Make sure your users have permissions to update their own access keys. The following AWS documentation page explains the required permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials. + +The following IAM policy is enough for aws-rotate-key: ```json { diff --git a/main.go b/main.go index 53d974b..017e946 100644 --- a/main.go +++ b/main.go @@ -27,7 +27,7 @@ func main() { flag.BoolVar(&yesFlag, "y", false, `Automatic "yes" to prompts.`) flag.BoolVar(&deleteFlag, "d", false, "Delete old key without deactivation.") flag.StringVar(&profileFlag, "profile", "default", "The profile to use.") - flag.BoolVar(&versionFlag, "version", false, "Print version number ("+version+")") + flag.BoolVar(&versionFlag, "version", false, "Print version number") flag.Parse() if versionFlag { @@ -191,6 +191,7 @@ func main() { fmt.Printf("Deactivated old access key %s.\n", creds.AccessKeyID) fmt.Println("Please make sure this key is not used elsewhere.") } + fmt.Println("Please note that it may take a minute for your new access key to propagate in the AWS control plane.") } func pluralize(n int) string {