Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Handy of you have multiple aws accounts, utility that interrogates your aws config and generates aws-vault command lines and passwords to facilitate secret rotation.
#!/usr/bin/env python3
import configparser
import re
import string
from random import choice
from os.path import expanduser
PasswordLength = 32
SpecialCount = 4
AccountInfo = []
HomeDir = expanduser("~")
def GenPasswd(length, specialcount):
SpecialCounter = 0
alphanum = string.ascii_letters+string.digits
special = "!@#$%^&*()_+-=[]{\\}|"
newpasswd = ""
for character in range(length):
if SpecialCounter >= abs(length / specialcount - 1) and character < length - 1:
newpasswd = newpasswd + choice(special)
SpecialCounter = 0
else:
newpasswd = newpasswd + choice(alphanum)
SpecialCounter = SpecialCounter+1
return newpasswd
config = configparser.ConfigParser()
config.read(HomeDir+"/.aws/config")
sections = config.sections()
for section in sections:
if config[section].get("mfa_serial"):
vaultid = re.sub("^profile ","",section)
userid = re.sub("^.*/","",config[section]["mfa_serial"])
passwd = GenPasswd(PasswordLength, SpecialCount)
AccountInfo.append({
"vaultid": vaultid,
"userid" : userid,
"passwd" : passwd,
})
for account in AccountInfo:
vaultid = account["vaultid"]
print(f"aws-vault rotate -n {vaultid}")
for account in AccountInfo:
vaultid = account["vaultid"]
userid = account["userid"]
passwd = account["passwd"]
print(f"aws-vault exec -n {vaultid} -- aws iam update-login-profile --user-name {userid} --password '{passwd}'")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment