cloud engineer
by Ulysses
Here’s how to search for an IAM user in AWS by filtering their access key.
aws iam list-users --query 'Users[?UserId==`AIDAxxxxxxxxxxxxxxxxx`]' \ --profile your-profile |
aws iam list-users --query 'Users[?UserId==`AIDAxxxxxxxxxxxxxxxxx`]' \ --profile your-profile
The results only returns one user with that UserID.
[ { "Path": "/", "UserName": "your-username", "UserId": "AIDAxxxxxxxxxxxxxxxxx", "Arn": "arn:aws:iam::xxxxxxxxxxxx:user/sa-lucidchart", "CreateDate": "2019-04-15T15:53:18+00:00" } ] |
[ { "Path": "/", "UserName": "your-username", "UserId": "AIDAxxxxxxxxxxxxxxxxx", "Arn": "arn:aws:iam::xxxxxxxxxxxx:user/sa-lucidchart", "CreateDate": "2019-04-15T15:53:18+00:00" } ]
by Ulysses
Here’s a script that will rotate AWS IAM keys.
#!/bin/bash # set files user='johndoe' newkey='/root/new-access-key.json' oldkey='/root/old-access-key.json' credentials='/root/.aws/credentials' # get old credentials aws iam list-access-keys --user-name $user > $oldkey okey=$(jq .AccessKeyMetadata[0].AccessKeyId $oldkey | tr -d \") # create new key aws iam create-access-key --user-name $user > $newkey # get new access keys and new secret nkey=$(jq .AccessKey.AccessKeyId $newkey | tr -d \") nsecret=$(jq .AccessKey.SecretAccessKey $newkey | tr -d \") # backup old credentials cp /root/.aws/credentials /root/.aws/credentials-backup # store the new key echo '[default]' > $credentials echo 'aws_access_key_id = ' $nkey >> $credentials echo 'aws_secret_access_key = '$nsecret >> $credentials sleep 10 # delete old key aws iam delete-access-key --user-name $user --access-key-id $okey rm $newkey rm $oldkey |
#!/bin/bash # set files user='johndoe' newkey='/root/new-access-key.json' oldkey='/root/old-access-key.json' credentials='/root/.aws/credentials' # get old credentials aws iam list-access-keys --user-name $user > $oldkey okey=$(jq .AccessKeyMetadata[0].AccessKeyId $oldkey | tr -d \") # create new key aws iam create-access-key --user-name $user > $newkey # get new access keys and new secret nkey=$(jq .AccessKey.AccessKeyId $newkey | tr -d \") nsecret=$(jq .AccessKey.SecretAccessKey $newkey | tr -d \") # backup old credentials cp /root/.aws/credentials /root/.aws/credentials-backup # store the new key echo '[default]' > $credentials echo 'aws_access_key_id = ' $nkey >> $credentials echo 'aws_secret_access_key = '$nsecret >> $credentials sleep 10 # delete old key aws iam delete-access-key --user-name $user --access-key-id $okey rm $newkey rm $oldkey
The script performs the following: