AwsRotate

Gem Version Support

Rotates your AWS keys configured in ~/.aws/credentials.

Usage

aws-rotate list # list profiles in ~/.aws
aws-rotate key  # rotates single key. Uses AWS_PROFILE env var
aws-rotate keys # rotates **all** keys for all profiles in ~/.aws/credentials

aws-rotate keys

IMPORTANT: The aws-rotate keys command will update all the profiles found in ~/.aws/credentials. You may want to run an --noop to first test. Example:

aws-rotate keys --noop

select filter option

If you would like to selectively update profiles, you can use the --select option. The -s option is also shorthand for the --select option. Example:

aws-rotate keys --select dev-

The --select dev- results in only profiles with the dev- found in the profile name to be updated. Example:

~/.aws/credentials:

[my-dev-account1]
aws_access_key_id=EXAMPLE1
aws_secret_access_key=EXAMPLE1

[my-dev-account2]
aws_access_key_id=EXAMPLE2
aws_secret_access_key=EXAMPLE2

[my-prod-]
aws_access_key_id=EXAMPLE3
aws_secret_access_key=EXAMPLE3

Will only update my-dev-account1 and my-dev-account1, since they both include the dev- pattern.

The select option can take multiple selects. Example:

aws-rotate keys --select dev- test-

Also, the select option is internally converted to an ruby regexp. So you can use patterns. Example:

aws-rotate keys --select ^dev-

In this case the match is stricter and must start with "dev"

reject filter option

There is also a --reject and -r option that does the opposite of the --select option.

aws-rotate keys --reject ^prod-

Will rotate all profiles that do not match ^prod-.

You can use both --select and --reject options together.

Backups

A backup of your ~/.aws/credentials file is taken and stored in ~/.aws/credentials-bak-[timestamp] before it is updated. However, please take precaution and take your own backup measures. You can also disable backups with the --no-backup option.

Assume Roles

Note: assumed role profiles are skipped as they don't have access keys.

Automatically Updating with Cron

You can add a crontab to your system to automatically rotate the keys:

crontab -e

You can add something like this:

30 20 * * * bash -l -c 'aws-rotate keys --select dev-aws-profile test-aws-profile --no-backup >> /var/log/cron-aws-rotate.log 2>&1' # rotate AWS keys daily

Create a /var/log/cron/aws-rotate.log that is writable with your user:

sudo touch /var/log/cron-aws-rotate.log
sudo chown `whoami`:`whoami` /var/log/cron-aws-rotate.log

Installation

Add this line to your application's Gemfile:

gem "aws-rotate"

Requirements

The aws cli is use to set the access keys and is required.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am "Add some feature")
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request