Skip to content

Instantly share code, notes, and snippets.

@jharrington22

jharrington22/check_iam_users.sh

Last active March 26, 2020 17:23
Show Gist options
  • Save jharrington22/e4f3aa64d2c12c548bd5dfe7e30ceffa to your computer and use it in GitHub Desktop.
Save jharrington22/e4f3aa64d2c12c548bd5dfe7e30ceffa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
check_iam_users.sh
#!/bin/bash
for id in $(cat reset-list-03-25-20); do
echo "Checking account $id"
AWS_ASSUME_ROLE=$(aws sts assume-role --role-arn arn:aws:iam::${id}:role/OrganizationAccountAccessRole --role-session-name SREAdminCreateUserJames --profile=osd-staging-1)
export AWS_ACCESS_KEY_ID=$(echo $AWS_ASSUME_ROLE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $AWS_ASSUME_ROLE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $AWS_ASSUME_ROLE | jq -r '.Credentials.SessionToken')
STS_CALLER_IDENTITY="$(aws sts get-caller-identity | jq -j '.Account')"
if ! [ "${id}" -eq "${STS_CALLER_IDENTITY}" ]; then
echo "Error assuming role? Caller identity doesn't match the AWS Account ID passed in"
exit 1
fi
osdManagedAdminMissing=true
osdManagedAdminSREMissing=true
NUM_USERS=$(aws iam list-users | jq '[.Users[].UserName] | length')
if ! [ "${NUM_USERS}" -eq 0 ]; then
for USER in $(aws iam list-users | jq -r '.Users[].UserName'); do
if [ "${USER}" == "osdManagedAdmin" ]; then
osdManagedAdminMissing=false
fi
if [ "${USER}" == "osdManagedAdminSRE" ]; then
osdManagedAdminSREMissing=false
fi
done
fi
if $osdManagedAdminMissing; then
echo "osdManagedAdmin user missing for $id"
fi
if $osdManagedAdminSREMissing; then
echo "osdManagedAdminSRE user missing for $id"
fi
id=""
unset AWS_SECRET_ACCESS_KEY_ID
unset AWS_ACCESS_KEY_ID
unset AWS_SESSION_TOKEN
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment