GitHub Action
Rotate AWS Access Keys
v1.3.0
Latest version
Performs the following actions:
- Checks for existing IAM access and secret key pairs of the provided IAM user (
IAM_USERNAME
) - If 2 sets of keys exists, the action will fail
- If 0 or 1 set of keys exists, the action will:
- Create a new key pair for the IAM user
- Update the Github secrets (
GITHUB_ACCESS_KEY_NAME
andGITHUB_SECRET_KEY_NAME
) for all provided repositories (OWNER_REPOSITORY
) - Delete the original key pair from the IAM user (if 1 already exists)
Variable | Required | Description | Default |
---|---|---|---|
AWS_ACCESS_KEY_ID | True | Access Key ID to authenticate with AWS. You can use ${{secrets.ACCESS_KEY_ID}} |
N/A |
AWS_SECRET_ACCESS_KEY | True | Secret Access Key ID to authenticate with AWS. You can use ${{secrets.SECRET_ACCESS_KEY_ID}} |
N/A |
AWS_SESSION_TOKEN | False | Session Token for the current AWS session. Only required if you assume a role first. | N/A |
IAM_USERNAME | False | Name of IAM user being rotated, if not set the username which is used in the AWS credentials is used | N/A |
PERSONAL_ACCESS_TOKEN | True | Github Token with Repo Admin access of the target repo. As of 4/16/2020 ${{github.token}} does not have permission to query the Secrets API. The existing env var GITHUB_TOKEN which is added automatically to all runs does not have the access secrets. |
N/A |
OWNER_REPOSITORY | True | The owner and repository name. For example, octocat/Hello-World. If being ran in the repo being updated, you can use ${{github.repository}} . Multiple repositories can be specified by a comma-separated list (e.g. OWNER_REPOSITORY: ${{ github.repository }},MyGitHubOrgOrUser/MyGitHubRepo ). |
N/A |
GITHUB_ACCESS_KEY_NAME | False | Name of the secret for the Access Key ID. Setting this overrides the default. | access_key_id |
GITHUB_SECRET_KEY_NAME | False | Name of the secret for the Secret Access Key ID. Setting this overrides the default. | secret_key_id |
GITHUB_ENVIRONMENT | False | Name of the Github environment where the secrets are stored. | N/A |
on:
schedule:
- cron: '27 13 * * 1'
jobs:
rotate:
name: rotate iam user keys
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: rotate aws keys
uses: kneemaa/[email protected]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
IAM_USERNAME: 'iam-user-name'
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
OWNER_REPOSITORY: ${{ github.repository }}
on:
schedule:
- cron: '27 13 * * 1'
jobs:
rotate:
name: rotate iam user keys
runs-on: ubuntu-latest
environment: dev
steps:
- uses: actions/[email protected]
- name: rotate aws keys
uses: kneemaa/[email protected]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
IAM_USERNAME: 'iam-user-name'
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
OWNER_REPOSITORY: ${{ github.repository }}
GITHUB_ENVIRONMENT: dev
Note that environment names must be set twice:
- at the job level for Github workflow to know where to fetch the secrets
- in the action's environment variable so that the action knows where to store the secret back
on:
schedule:
- cron: '27 13 * * 1'
jobs:
rotate:
name: rotate iam user keys
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: rotate aws keys
uses: kneemaa/[email protected]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
IAM_USERNAME: 'iam-user-name'
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
OWNER_REPOSITORY: ${{ github.repository }}
- name: Send Slack Status
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
author_name: kneemaa-aws-rotation-action
username: kneemaa-rotation-bot
text: Rotating the token had a status of ${{ job.status }}
channel: alerts-test
env:
SLACK_WEBHOOK_URL: https://hooks.slack.com/services/.../...
The Dockerfile and associated scripts and documentation in this project are released under the MIT License.