Skip to content

Github Action to rotate AWS Access Keys stored in a repositories secrets

License

Notifications You must be signed in to change notification settings

cold-wisteria/github-action-rotate-aws-secrets

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Rotate AWS Access token stored in Github Repository secrets

Environment Variables

AWS_ACCESS_KEY_ID

  • Required: True
  • Description: Access Key ID to authenticate with AWS. You can use ${{secrets.ACCESS_KEY_ID}}

AWS_SECRET_ACCESS_KEY

  • Required: True
  • Description: Secret Access Key ID to authenticate with AWS. You can use ${{secrets.SECRET_ACCESS_KEY_ID}}

AWS_SESSION_TOKEN

  • Required: False
  • Description: Session Token for the current AWS session. Only required if you assume a role first.

IAM_USERNAME

  • Required: False
  • Description: Name of IAM user being rotated, if not set the username which is used in the AWS credentials is used

PERSONAL_ACCESS_TOKEN

  • Required: True
  • Description: Github Token with Repo Admin access of the target repo. As of 4/16/2020 ${{github.token}} does not have permission to query the Secrets API. The existing env var GITHUB_TOKEN which is added automatically to all runs does not have the access secrets.

OWNER_REPOSITORY

  • Required: True
  • Description: The owner and repository name. For example, octocat/Hello-World. If being ran in the repo being updated, you can use ${{github.repository}}. Multiple repositories can be specified by a comma-separated list (e.g. OWNER_REPOSITORY: ${{ github.repository }},MyGitHubOrgOrUser/MyGitHubRepo).

GITHUB_ACCESS_KEY_NAME

  • Required: False
  • Default: access_key_id
  • Description: Name of the secret for the Access Key ID. Setting this overrides the default.

GITHUB_SECRET_KEY_NAME

  • Required: False
  • Default: secret_key_id
  • Description: Name of the secret for the Secret Access Key ID. Setting this overrides the default.

Example

Rotation every monday at 13:00 UTC

on:
  schedule:
    - cron: '* 13 * * 1' 

jobs:
  rotate:
    name: rotate iam user keys
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]

      - name: rotate aws keys
        uses: kneemaa/[email protected]
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
          IAM_USERNAME: 'iam-user-name'
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          OWNER_REPOSITORY: ${{ github.repository }}

Adding Slack notification on failure only

on:
  schedule:
    - cron: '* 13 * * 1'

jobs:
  rotate:
    name: rotate iam user keys
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]

      - name: rotate aws keys
        uses: kneemaa/[email protected]
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
          IAM_USERNAME: 'iam-user-name'
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          OWNER_REPOSITORY: ${{ github.repository }}

      - name: Send Slack Status
        if: failure()
        uses: 8398a7/[email protected]
        with:
          status: ${{job.status}}
          author_name: kneemaa-aws-rotation-action
          username: kneemaa-rotation-bot
          text: Rotating the token had a status of ${{ job.status }}
          channel: alerts-test
        env:
          SLACK_WEBHOOK_URL: https://hooks.slack.com/services/.../...

License

The Dockerfile and associated scripts and documentation in this project are released under the MIT License.

About

Github Action to rotate AWS Access Keys stored in a repositories secrets

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 97.3%
  • Dockerfile 2.7%