Skip to content

Rotates the AWS access keys of a given list of users on a defined schedule and stores the access keys in Secrets Manager

License

Notifications You must be signed in to change notification settings

GSA/aws-access-key-rotation-lambda

Repository files navigation

AWS Access Key Rotation Lambda GoDoc Go Report Card CircleCI

AWS Access Key Rotation Lambda rotates the AWS Access Keys for a provided list of IAM usernames on the configured schedule (default is hourly). The resulting Access Keys are stored in Secrets Manager and are only accessible via the deployed reader role.

The secrets created for each provided IAM username will be prefixed with the provided value followed by the username. An example of the secret value format is shown below:

{
    "aws_access_key_id": "AAAAAAAAAAAAAAAAAAAAAAAAAA",
    "aws_sec\ret_access_key": "BBBBBBBBBBBBBBBBBBBBBBBBB"
}

Repository contents

  • ./: Terraform module to deploy and configure Lambda function, S3 Bucket and IAM roles and policies
  • lambda: Go code for Lambda function

Terraform Module Inputs

Name Description Type Default Required
usernames The list of IAM usernames to be rotated list(string) [] yes
schedule_expression Cloudwatch schedule expression for when to run inventory string "cron(0 * * * *)" no
project The project name used as a prefix for all resources string "iaas" no
appenv The targeted application environment used in resource names string "development" no
prefix The name prefix used to signify a secret should be replicated string "g-" no
source_file The full or relative path to zipped binary of lambda handler string "../release/grace-secrets-sync-lambda.zip" no

top

Environment Variables

Lambda Environment Variables

Name Description
REGION (optional) Region used for EC2 instances (default: us-east-1)
PREFIX (optional) Name prefix used for listing secrets in the hub (default: g-)
USERNAMES (required) The list of IAM usernames whose Access Key must be rotated
KMS_KEY_ALIAS (required) The KMS Key Alias of the KMS Key to use for Secrets Manager

top

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Rotates the AWS access keys of a given list of users on a defined schedule and stores the access keys in Secrets Manager

Resources

License

Stars

Watchers

Forks

Packages

No packages published