Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Find an AWS IAM user corresponding to an AWS Access Key
# Find the IAM username belonging to the TARGET_ACCESS_KEY
# Useful for finding IAM user corresponding to a compromised AWS credential
# Requirements:
#
# Environmental variables:
# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# python:
# boto
import boto.iam
TARGET_ACCESS_KEY = 'TARGET_KEY'
iam = boto.connect_iam()
users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
def find_key():
for user in users:
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
aws_access_key = key_result['access_key_id']
if aws_access_key == TARGET_ACCESS_KEY:
print 'Target key belongs to:'
print 'user : ' + user['user_name']
return True
return False
if not find_key():
print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
@heskyji
Copy link

heskyji commented Jun 11, 2015

๐Ÿ‘

@cmvelo
Copy link

cmvelo commented Jun 11, 2015

excellent script - thanks! ๐Ÿ‘

@zxjinn
Copy link

zxjinn commented Jun 25, 2015

I've forked this gist and updated it to search more than 100 users: https://gist.github.com/zxjinn/1693a7b4623c4cd25b6d

@agbodike
Copy link

agbodike commented Aug 3, 2015

This was super helpful, thanks! ๐Ÿ‘

@dgolja
Copy link

dgolja commented Aug 27, 2015

๐Ÿ‘

@mikeghen
Copy link

mikeghen commented Sep 4, 2015

๐Ÿ‘ Super helpful!

@ForestJay
Copy link

Cool. I forked it and modified it so that the key could be passed from the command line.

@ianneub
Copy link

ianneub commented Sep 16, 2015

๐Ÿ‘

And thanks @ForestJay for your fork.

@axelabs
Copy link

axelabs commented Sep 22, 2015

Nice. Alternatively, here is a way to do this with the aws CLI tools:

AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
aws --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY

If your personal access key (.aws/credentials) does not have iam premissions, the error will show the key owner's user name, which is nice.

@mhoglan
Copy link

mhoglan commented Nov 12, 2015

I know this dated, but this comes up as a top google search so figured it would be useful to add this here

You can use the IAM get-user call and avoid having to loop through users and their keys. You will either get the user information (and thus the ARN), or the error will specify the ARN (similar to the list-users).

By default the get-user will get the information for the keys used to connect.

aws iam get-user
A client error (AccessDenied) occurred when calling the GetUser operation: User: arn:aws:iam::account:user/username is not authorized to perform: iam:GetUser on resource: arn:aws:iam::account:user/username

or

{
    "User": {
        "UserName": "user",
        "Path": "/",
        "CreateDate": "date",
        "UserId": "ID",
        "Arn": "arn:aws:iam::account:user/username"
    }
}

@burdandrei
Copy link

@mhoglan made my day, cause the script can't find non IAM account ;)

@ctompkinson
Copy link

๐Ÿ‘

@pavelch
Copy link

pavelch commented Mar 24, 2017

Thanks!

@andymotta
Copy link

Thanks for doing all the hard work. Adapted for boto3 (w/credit) here: https://gist.github.com/andymotta/9bb9b28da3816fbc469e9057435bf802

@root360-AndreasUlm
Copy link

Short enhancement by adding loop to run check for every configure AWS profile:

for profile in $(grep -F '[profi' .aws/config | cut -d' ' -f2 | cut -d']' -f1); do
    aws --profile "${profile}" --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --profile "${profile}" --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY
done

@robperc
Copy link

robperc commented Jun 24, 2017

Just a heads-up this can be done with a single call using the "get_access_key_last_used" method of the boto3 IAM client.

http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_access_key_last_used

@andymotta
Copy link

@AnthonyWC
Copy link

For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID

@kavinda1995
Copy link

Nice. Alternatively, here is a way to do this with the aws CLI tools:

AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
aws --output text iam list-users | awk '{print $NF}' | xargs -P10 -n1 aws --output text iam list-access-keys --user-name | grep $AWS_ACCESS_KEY

If your personal access key (.aws/credentials) does not have iam premissions, the error will show the key owner's user name, which is nice.

This works perfectly. Thanks @axelabs

@pc-star
Copy link

pc-star commented Sep 30, 2019

For AWS CLI; you can use this one-liner: aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID

Thanks @AnthonyWC for that. it was all I needed ๐Ÿ‘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment