Handy of you have multiple aws accounts, utility that interrogates your aws config and generates aws-vault command lines and passwords to facilitate secret rotation.

RotateAwsCreds.py

#!/usr/bin/env python3

import configparser
import re
import string
from random import choice
from os.path import expanduser

PasswordLength = 32
SpecialCount = 4
AccountInfo    = []
HomeDir        = expanduser("~")

def GenPasswd(length, specialcount):
    SpecialCounter = 0
    alphanum  = string.ascii_letters+string.digits
    special   = "!@#$%^&*()_+-=[]{\\}|"
    newpasswd = ""

    for character in range(length):
        if SpecialCounter >= abs(length / specialcount - 1) and character < length - 1:
            newpasswd = newpasswd + choice(special)
            SpecialCounter = 0
        else:
            newpasswd = newpasswd + choice(alphanum)

        SpecialCounter = SpecialCounter+1

    return newpasswd

config = configparser.ConfigParser()
config.read(HomeDir+"/.aws/config")

sections = config.sections()

for section in sections:
    if config[section].get("mfa_serial"):
        vaultid = re.sub("^profile ","",section)
        userid = re.sub("^.*/","",config[section]["mfa_serial"])
        passwd = GenPasswd(PasswordLength, SpecialCount)

        AccountInfo.append({
            "vaultid": vaultid,
            "userid" : userid,
            "passwd" : passwd,
        })

for account in AccountInfo:
    vaultid = account["vaultid"]
    print(f"aws-vault rotate -n {vaultid}")

for account in AccountInfo:
    vaultid = account["vaultid"]
    userid  = account["userid"]
    passwd  = account["passwd"]
    print(f"aws-vault exec -n {vaultid} -- aws iam update-login-profile --user-name {userid} --password '{passwd}'")