Skip to content

Instantly share code, notes, and snippets.

@UnixSage
Created March 2, 2021 19:33
Show Gist options
  • Save UnixSage/e02ad6536d60f35d2dcfe1adb7fe99bf to your computer and use it in GitHub Desktop.
Save UnixSage/e02ad6536d60f35d2dcfe1adb7fe99bf to your computer and use it in GitHub Desktop.
Handy of you have multiple aws accounts, utility that interrogates your aws config and generates aws-vault command lines and passwords to facilitate secret rotation.
#!/usr/bin/env python3
import configparser
import re
import string
from random import choice
from os.path import expanduser
PasswordLength = 32
SpecialCount = 4
AccountInfo = []
HomeDir = expanduser("~")
def GenPasswd(length, specialcount):
SpecialCounter = 0
alphanum = string.ascii_letters+string.digits
special = "!@#$%^&*()_+-=[]{\\}|"
newpasswd = ""
for character in range(length):
if SpecialCounter >= abs(length / specialcount - 1) and character < length - 1:
newpasswd = newpasswd + choice(special)
SpecialCounter = 0
else:
newpasswd = newpasswd + choice(alphanum)
SpecialCounter = SpecialCounter+1
return newpasswd
config = configparser.ConfigParser()
config.read(HomeDir+"/.aws/config")
sections = config.sections()
for section in sections:
if config[section].get("mfa_serial"):
vaultid = re.sub("^profile ","",section)
userid = re.sub("^.*/","",config[section]["mfa_serial"])
passwd = GenPasswd(PasswordLength, SpecialCount)
AccountInfo.append({
"vaultid": vaultid,
"userid" : userid,
"passwd" : passwd,
})
for account in AccountInfo:
vaultid = account["vaultid"]
print(f"aws-vault rotate -n {vaultid}")
for account in AccountInfo:
vaultid = account["vaultid"]
userid = account["userid"]
passwd = account["passwd"]
print(f"aws-vault exec -n {vaultid} -- aws iam update-login-profile --user-name {userid} --password '{passwd}'")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment