Skip to content

Instantly share code, notes, and snippets.

@jonathanwcrane

jonathanwcrane/rename_serviceaccounts.py

Created January 14, 2016 18:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jonathanwcrane/68ddff397ec85a8dddae to your computer and use it in GitHub Desktop.
Save jonathanwcrane/68ddff397ec85a8dddae to your computer and use it in GitHub Desktop.
Download ZIP
Working code to find non-interactive IAM users (service accounts)
Raw
rename_serviceaccounts.py
for user in iam.users.all():
# Nothing is initially loaded
profile = user.LoginProfile()
try:
profile.load()
# We don't care if this works
except ClientError as e:
if 'NoSuchEntity' in e.response['Error']['Code']:
nm = user.name
#print(nm,"is a service account.")
if not svc_re.search(nm):
new_name = 'svc_'+nm
print(nm,"is a mis-named service account and should be renamed to",new_name)
if args.doit:
user.update(NewUserName='svc_'+name)
print("User updated.")
else:
print("Dry run only, no change made")
else:
raise e
@glnds
Copy link

glnds commented Mar 29, 2018 

# If your users (or AWS account) is created after October 20th, 2014 then the code below should do the trick.
# http://boto3.readthedocs.io/en/latest/reference/services/iam.html#IAM.User.password_last_used
# It makes the code far less verbose ;-)

for iam_user in iam.users.all():      
    if iam_user.password_last_used:
        print('User has console access')
    else:
        print('User has only programmatic access')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment