Browse Source

update key rotation

master
Markus Bergholz 1 year ago
parent
commit
57e83c33e1
2 changed files with 68 additions and 60 deletions
  1. +54
    -0
      ansible/profile_iteration.yml
  2. +14
    -60
      ansible/rotate_aws_keys.yml

+ 54
- 0
ansible/profile_iteration.yml View File

@ -0,0 +1,54 @@
- name: create new credentials, remove current and replace them in ~/.aws/credentials
block:
- name: Get the current caller identity facts
aws_caller_info:
profile: "{{ item }}"
register: caller_facts
- name: read current credentials
set_fact:
current_access_key: "{{ lookup('ini', 'aws_access_key_id section=' + item + ' file=~/.aws/credentials') }}"
current_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=' + item + ' file=~/.aws/credentials') }}"
username: "{{ caller_facts.arn.split('/')[1] }}"
- name: create new iam credentials
iam:
iam_type: user
name: "{{ username }}"
state: update
access_key_state: create
key_count: 2
profile: "{{ item }}"
register: new_credentials
- name: delete old credentials
iam:
iam_type: user
name: "{{ username }}"
state: update
access_key_state: remove
access_key_ids: "{{ current_access_key }}"
profile: "{{ item }}"
key_count: 1
- name: update secret access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ item }}"
option: aws_secret_access_key
value: "{{ new_credentials.created_keys[0].secret_access_key }}"
mode: '0600'
backup: yes
- name: update access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ item }}"
option: aws_access_key_id
value: "{{ new_credentials.created_keys[0].access_key_id }}"
mode: '0600'
rescue:
- name: print new created credentials in case of task failure
debug:
msg: "{{ new_credentials }}"

+ 14
- 60
ansible/rotate_aws_keys.yml View File

@ -3,65 +3,19 @@
connection: local
gather_facts: False
vars_prompt:
- name: AWS_PROFILE
prompt: AWS Profile?
private: no
default: test
vars:
PROFILES:
- test
- prod
- connectdev
- connectprod
- connectpoc
- datalake_test
- datalake_prod
- vpn
- pl
tasks:
- name: create new credentials, remove current and replace them in ~/.aws/credentials
block:
- name: Get the current caller identity facts
aws_caller_info:
profile: "{{ AWS_PROFILE }}"
register: caller_facts
- name: read current credentials
set_fact:
current_access_key: "{{ lookup('ini', 'aws_access_key_id section=' + AWS_PROFILE + ' file=~/.aws/credentials') }}"
current_secret_key: "{{ lookup('ini', 'aws_secret_access_key section=' + AWS_PROFILE + ' file=~/.aws/credentials') }}"
username: "{{ caller_facts.arn.split('/')[1] }}"
- name: create new iam credentials
iam:
iam_type: user
name: "{{ username }}"
state: update
access_key_state: create
key_count: 2
profile: "{{ AWS_PROFILE }}"
register: new_credentials
- name: delete old credentials
iam:
iam_type: user
name: "{{ username }}"
state: update
access_key_state: remove
access_key_ids: "{{ current_access_key }}"
profile: "{{ AWS_PROFILE }}"
key_count: 1
- name: update secret access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ AWS_PROFILE }}"
option: aws_secret_access_key
value: "{{ new_credentials.created_keys[0].secret_access_key }}"
mode: '0600'
backup: yes
- name: update access key credentials file
ini_file:
path: ~/.aws/credentials
section: "{{ AWS_PROFILE }}"
option: aws_access_key_id
value: "{{ new_credentials.created_keys[0].access_key_id }}"
mode: '0600'
rescue:
- name: print new created credentials in case of task failure
debug:
msg: "{{ new_credentials }}"
tasks:
- include: profile_iteration.yml
with_items: "{{ PROFILES }}"

Loading…
Cancel
Save