Skip to content

cpollard0/iam-vault-rotate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
iam_vault_rotate.py
iam_vault_rotate.py
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

IAM Vault Rotate

What is this?

In our automation, we have IAM service accounts that are associated with Ansible solutions. We store the credentials for these accounts in the ansible solution using Ansible vault to encrypt secrets. These service accounts are highly privileged and need to conform to our password rotation policy. There is a service account per AWS environment, meaning an individual application having lots of service accounts. The overhead burden on rotating these credentials has historically led to service accounts having an exception from the password expiration policy. As we move to AWS, we want to get away from that.

This utility is a simple utility that rotates a users credentials within an ansible solution.

Setup

Run:

python setup.py install

Usage

Example:

iam_vault_rotate rotate generate inline -vpf /vagrant/vault_password_file -vf /vagrant/group_vars/dev1/access_aws.yml -af /vagrant/group_vars/dev1/access_aws.yml -sk aws_secret_key  -d TRUE

usage: iam_vault_rotate rotate [-h] [-u USER] [-vf VAULTFILE] [-af ACCESSFILE]
                               [-vp VAULTPASS] [-vpf VAULTPASSFILE]
                               [-sk SECRETKEYNAME] [-ak ACCESSKEYNAME]
                               [-acck ACCESSKEYVALUE]
                               [-d DELETE_OLD_ACCESS_KEY]
                               rotationtype encryptiontype

positional arguments:
  rotationtype          indicates whether you need to generate a new key you
                        are passing in an access key/secret key to rotate to
                        defaults to generate
  encryptiontype        indicates whether you encryption is inline or file
                        defaults to file

optional arguments:
  -h, --help            show this help message and exit
  -u USER, --user USER  the name of the user for whom to rotate. If blank will
                        be current user
  -vf VAULTFILE, --vaultfile VAULTFILE
                        location of vault encrypted file
  -af ACCESSFILE, --accessfile ACCESSFILE
                        location of access key file
  -vp VAULTPASS, --vaultpass VAULTPASS
                        vault password
  -vpf VAULTPASSFILE, --vaultpassfile VAULTPASSFILE
                        vault password file
  -sk SECRETKEYNAME, --secretkeyname SECRETKEYNAME
                        secret key name in the vault file. defaults to
                        vault_aws_secret_key
  -ak ACCESSKEYNAME, --accesskeyname ACCESSKEYNAME
                        access key name. defaults to aws_access_key
  -acck ACCESSKEYVALUE, --accesskeyvalue ACCESSKEYVALUE
                        access key to rotate to. used when we don't want to
                        generate a key but rotate it defaults to blank.
  -vid VAULTID, --vaultid VAULTID
                        Vault Id for use with solutions with multiple vault files
  -d DELETE_OLD_ACCESS_KEY, --delete_old_access_key DELETE_OLD_ACCESS_KEY
                        Delete old access key

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages