aws-iam-credential-rotate

command module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2020 License: Apache-2.0 Imports: 1 Imported by: 0

README

AWS IAM key rotate tool

This is a really simple tool that takes a secret containing IAM credentials, rotates them and updates the secret with the new credentials.

How to use

Rotate IAM Key

Rotate key policy

The following policy has to be created and attached to the user so that he can change his own keys:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateAccessKey",
                "iam:CreateAccessKey",
                "iam:ListAccessKeys",
                "iam:DeleteAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}
IAM user

Create a user in AWS and attach the previous policy to it. Generate an access key for the user.

Secret in Kubernetes

The following secret will hold the initial credentials of the user.

apiVersion: v1
kind: Secret
metadata:
  name: aws-iam-user-credentials
  labels:
    aws-rotate-key: "true"
stringData:
  access_key_id: AKIASX3NJFVAYLY464VG
  secret_access_key: xxxxxxxxxxxxxxxxxxxxxxxxx
Cron Job

Finally we need a CRON job that runs with privileges to list secrets:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-credentials-updater

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-edit
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aws-credentials-updater-rolebinding
subjects:
- kind: ServiceAccount
  name: aws-credentials-updater
roleRef:
  kind: Role
  name: secret-edit
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: rotate-keys
spec:
  schedule: "*/15 * * * *"
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            parent: "rotate-keys"
        spec:
          containers:
          - name: rotate
            image: nuxeo/aws-iam-credential-rotate
          restartPolicy: Never
          serviceAccount: aws-credentials-updater
          serviceAccountName: aws-credentials-updater
  successfulJobsHistoryLimit: 50
  failedJobsHistoryLimit: 50

Rotate ECR Credentials

Create a secret
apiVersion: v1
kind: Secret
metadata:
  name: aws-ecr-credentials-us-west-1
  labels:
    aws-ecr-updater: "true"
  annotations:
    aws-ecr-updater/secret: "aws-iam-user-credentials"
    aws-ecr-updater/region: "eu-west-1"
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: "{}"
Attach a policy to the IAM user

Create the following policy and attach it to the IAM user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*"
        }
    ]
}
Create the CRON Job
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: rotate-ecr
spec:
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            parent: rotate-ecr
        spec:
          containers:
          - command:
            - /aws-iam-credential-rotate
            - ecr-update
            image: nuxeo/aws-iam-credential-rotate
            name: rotate
          serviceAccount: aws-credentials-updater
          serviceAccountName: aws-credentials-updater
  schedule: 0 */2 * * *
  successfulJobsHistoryLimit: 10
  failedJobsHistoryLimit: 10

Licensing

Most of the source code in the Nuxeo Platform is copyright Nuxeo and contributors, and licensed under the Apache License, Version 2.0.

See the LICENSE file and the documentation page Licenses for details.

About Nuxeo

Nuxeo dramatically improves how content-based applications are built, managed and deployed, making customers more agile, innovative and successful. Nuxeo provides a next generation, enterprise ready platform for building traditional and cutting-edge content oriented applications. Combining a powerful application development environment with SaaS-based tools and a modular architecture, the Nuxeo Platform and Products provide clear business value to some of the most recognizable brands including Verizon, Electronic Arts, Sharp, FICO, the U.S. Navy, and Boeing. Nuxeo is headquartered in New York and Paris. More information is available at www.nuxeo.com.

Documentation

Overview

Copyright © 2019 Nuxeo

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.