Uly.me

cloud engineer

AWS CLI Search IAM UserID

Here’s how to search for an IAM user in AWS by filtering their access key.

aws iam list-users --query 'Users[?UserId==`AIDAxxxxxxxxxxxxxxxxx`]' \
--profile your-profile

The results only returns one user with that UserID.

[
    {
        "Path": "/",
        "UserName": "your-username",
        "UserId": "AIDAxxxxxxxxxxxxxxxxx",
        "Arn": "arn:aws:iam::xxxxxxxxxxxx:user/sa-lucidchart",
        "CreateDate": "2019-04-15T15:53:18+00:00"
    }
]

AWS Rotate IAM Keys

Here’s a script that will rotate AWS IAM keys.

#!/bin/bash
# set files
user='johndoe'
newkey='/root/new-access-key.json'
oldkey='/root/old-access-key.json'
credentials='/root/.aws/credentials'
# get old credentials
aws iam list-access-keys --user-name $user > $oldkey
okey=$(jq .AccessKeyMetadata[0].AccessKeyId $oldkey | tr -d \")
# create new key
aws iam create-access-key --user-name $user > $newkey
# get new access keys and new secret
nkey=$(jq .AccessKey.AccessKeyId $newkey | tr -d \")
nsecret=$(jq .AccessKey.SecretAccessKey $newkey | tr -d \")
# backup old credentials
cp /root/.aws/credentials /root/.aws/credentials-backup
# store the new key
echo '[default]' > $credentials
echo 'aws_access_key_id = ' $nkey >> $credentials
echo 'aws_secret_access_key = '$nsecret >> $credentials
sleep 10
# delete old key
aws iam delete-access-key --user-name $user --access-key-id $okey
rm $newkey
rm $oldkey

The script performs the following:

  1. Retrieves the current key
  2. Creates a new key
  3. Backup the current credentials file
  4. Create a new credentials file
  5. Deletes the old key
  6. Deletes the temp files
  7. Done