Add tooling to manage AWS IAM access keys#6872
Open
dannyroberts wants to merge 4 commits intomasterfrom
Open
Conversation
dannyroberts
force-pushed
the
dmr/manage-iam-keys
branch
from
99360b7 to
11f2dc7
Compare
Implements the list subcommand of the IAM key management tool described in SAAS-19726. Outputs a JSON list of a user's access keys, including last-used date, service, and region. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
These set the AWS IAM access key status to Inactive or Active respectively and print the updated key info as JSON. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Creates a new access key for the given IAM user and prints the credentials as CSV in the same format as the AWS console download, making the output directly consumable by derive_ses_smtp_password.py and the rest of the SES rotation tooling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Removes the given access key and prints the removed key's info as JSON. Without --force, refuses to remove a key that is still Active or that has been used within the last 24 hours, so callers must deactivate first and let any in-flight usage drain before deletion. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dannyroberts
force-pushed
the
dmr/manage-iam-keys
branch
from
11f2dc7 to
c759854
Compare
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SAAS-19726
scripts/aws/manage-iam-keys.pyfor inspecting and rotating IAM access keys, building blocks for SES SMTP credential rotationlist(JSON),create(CSV in the AWS console download format consumed byderive_ses_smtp_password.py),deactivate,reactivate,removeremoverefuses without--forceunless the key isInactiveand either never used or last used 24h+ agoNote for this to work you need an aws profile (e.g. in your
~/.aws/config) that has access to the IAM keys you're interested in—it'll need to have the correct account number and role.Environments Affected
None — this adds a new standalone script under
scripts/aws/and does not modify any environment files.Test plan
./scripts/aws/manage-iam-keys.py ses-iam ses-staging listoutputs a JSON array withAccessKeyId,Status,CreateDate,LastUsedDate,LastUsedService,LastUsedRegion./scripts/aws/manage-iam-keys.py ses-iam ses-swiss createreturns CSV thatderive_ses_smtp_password.pycan consume (extract field 2 as the secret)./scripts/aws/manage-iam-keys.py ses-iam ses-swiss listshows a key./scripts/aws/manage-iam-keys.py ses-iam ses-swiss remove <key-id> --forcesucceeds, even while it's active. (Recreate the key, this time with> /dev/nullsince we don't need to see the output, for the next tests.)./scripts/aws/manage-iam-keys.py ses-iam ses-swiss remove <key-id>refuses while the key isActive./scripts/aws/manage-iam-keys.py ses-iam ses-swiss deactivate <key-id>flips status toInactive;reactivate <key-id>flips it back toActive(the deactivate again for the next test)./scripts/aws/manage-iam-keys.py ses-iam ses-swiss remove <key-id>succeeds for anInactivekey that is never-used or last used 24h+ ago