10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
# File 'lib/sty/auth-rotate.rb', line 10
def rotate
keys = yaml('auth-keys')
path = to_path(act_acc)
current_key = keys['accounts'].dig(*path)
puts "Current account #{white(act_acc)}"
unless current_key
puts red("You need to authenticate to userstore account to rotate keys.")
exit(1)
end
puts "Current key #{white(current_key['key_id'])}"
iam = Aws::IAM::Client.new(region: region)
account_keys = iam.list_access_keys.access_key_metadata
key_to_rotate = account_keys.select {|k| k.access_key_id == current_key['key_id']}.first
unless key_to_rotate
puts red("Key #{current_key['key_id']} for account #{ act_acc } doesn't exist in AWS.")
exit(1)
end
if account_keys.size > 1
puts "You have #{white(account_keys.size)} keys already. Remove other keys before trying to rotate."
account_keys.each do |k|
key = k.access_key_id == current_key['key_id'] ? "#{white(k.access_key_id)} <-- Keep" : "#{red(k.access_key_id)} <-- Remove"
puts key
end
exit(1)
end
key_age_days = ((Time.now - key_to_rotate.create_date)/3600/24).round
puts "The key is #{white(key_age_days)} days old."
if key_age_days < DEFAULT_KEY_AGE
puts green('All good.')
exit(0)
else
puts 'Key needs rotation.'
end
new_key = iam.create_access_key()
current_key['key_id'] = new_key.access_key.access_key_id
current_key['secret_key'] = new_key.access_key.secret_access_key
puts "New key #{white(current_key['key_id'])} was created"
dump(keys, 'auth-keys')
account_keys.each do |k|
puts "Removing old key #{white(k.access_key_id)}"
iam.delete_access_key(access_key_id: k.access_key_id)
end
puts green('Key was rotated successfully.')
end
|