okram999/deleteiam

## deleteiam
import boto3

client = boto3.client('iam')

def isPasswordEnabled(username):
   iam = boto3.resource('iam')
   login_profile = iam.LoginProfile(username)
   try:
     login_profile.create_date
     return True
   except:
     return False

def delete_access_key(username):
  access_keyid_list = []
  access_keys_response=client.list_access_keys(UserName = username)
  for key in access_keys_response['AccessKeyMetadata']:
      access_keyid_list.append(key['AccessKeyId'])
  print(f"List of accesskeyids for username {username}: {access_keyid_list}")
  print("deleting the access keys...")
  for keyid in access_keyid_list:
      client.delete_access_key(UserName = user['UserName'], AccessKeyId=keyid)
      print(f"Deleted the access_key_id: {keyid}")

def delete_profile(username):
  # check if login profile exist
  if isPasswordEnabled(username):
    client.delete_login_profile(UserName = username)
    print(f"Deleted login profile for username: {username}")
  else:
    print(f"{username} does not have a password assigned.")


def delete_sign_cert(username):
  cert_list = []
  response = client.list_signing_certificates(UserName=username)
  for cert in response['Certificates']:
    cert_list.append(cert['CertificateId'])
  print(cert_list)
  for cert in cert_list:
    client.delete_signing_certificate(UserName=username, CertificateId=cert)
    print(f"Deleted certid: {cert} for username: {username}")


def delete_pub_ssh(username):
  ssh_key_list = []
  response = client.list_ssh_public_keys(UserName=username)
  for ssh_key in response['SSHPublicKeys']:
    ssh_key_list.append(ssh_key['SSHPublicKeyId'])
  print(f"ssh_key_list for username, {username}: {ssh_key_list}")
  for keyid in ssh_key_list:
    client.delete_ssh_public_key(UserName=username, SSHPublicKeyId=keyid)
    print(f"Deleted public_ssh_key_id: {keyid} for username: {username}")


def delete_svc_cred(username):
  svc_cred_list = []
  response = client.list_service_specific_credentials(UserName=username)
  for ServiceSpecificCredential in response['ServiceSpecificCredentials']:
    svc_cred_list.append(ServiceSpecificCredential['ServiceSpecificCredentialId'])
  print(f"svc_cred_list for username, {username}: {svc_cred_list}")
  for svc_cred in svc_cred_list:
    client.delete_service_specific_credential(UserName=username, ServiceSpecificCredentialId=svc_cred)
    print(f"Deleted svc_cred: {svc_cred} for username: {username}")

def mfa_device(username):
  #list
  device_sn_list = []
  response = client.list_virtual_mfa_devices(AssignmentStatus='Assigned')
  #find any for the user
  for VirtualMFADevice in response['VirtualMFADevices']:
    if VirtualMFADevice['User']['UserName'] == username:
      device_sn_list.append(VirtualMFADevice['SerialNumber'])
  print(f"device_sn_list for username: {username} is: {device_sn_list}")
  #deactivate
  for sn in device_sn_list:
    client.deactivate_mfa_device(
      UserName=username,
      SerialNumber=sn
    )
    print(f"mfa device with serial_number: {sn} assigned to user: {username} have been deactivated")
    client.delete_virtual_mfa_device(
    SerialNumber=sn
    )
    print(f"mfa device with serial_number: {sn} assigned to user: {username} have been deleted")


response = client.list_users()

for user in response['Users']:
  tags = client.list_user_tags(UserName = user['UserName'])
  if tags['Tags']:
    for tag in tags['Tags']:
      if tag['Key'] == 'Type' and tag['Value'] == 'service-user':
        print(f"{user['UserName']} is a service account, not deleting...")
  else:
    # delete_profile(user['UserName'])
    # delete_access_key(user['UserName'])
    # delete_sign_cert(user['UserName'])
    # delete_pub_ssh(user['UserName'])
    # delete_svc_cred(user['UserName'])
    mfa_device(user['UserName'])

# def lambda_handler(event, context):
	import boto3

	client = boto3.client('iam')

	def isPasswordEnabled(username):
	iam = boto3.resource('iam')
	login_profile = iam.LoginProfile(username)
	try:
	login_profile.create_date
	return True
	except:
	return False

	def delete_access_key(username):
	access_keyid_list = []
	access_keys_response=client.list_access_keys(UserName = username)
	for key in access_keys_response['AccessKeyMetadata']:
	access_keyid_list.append(key['AccessKeyId'])
	print(f"List of accesskeyids for username {username}: {access_keyid_list}")
	print("deleting the access keys...")
	for keyid in access_keyid_list:
	client.delete_access_key(UserName = user['UserName'], AccessKeyId=keyid)
	print(f"Deleted the access_key_id: {keyid}")

	def delete_profile(username):
	# check if login profile exist
	if isPasswordEnabled(username):
	client.delete_login_profile(UserName = username)
	print(f"Deleted login profile for username: {username}")
	else:
	print(f"{username} does not have a password assigned.")


	def delete_sign_cert(username):
	cert_list = []
	response = client.list_signing_certificates(UserName=username)
	for cert in response['Certificates']:
	cert_list.append(cert['CertificateId'])
	print(cert_list)
	for cert in cert_list:
	client.delete_signing_certificate(UserName=username, CertificateId=cert)
	print(f"Deleted certid: {cert} for username: {username}")


	def delete_pub_ssh(username):
	ssh_key_list = []
	response = client.list_ssh_public_keys(UserName=username)
	for ssh_key in response['SSHPublicKeys']:
	ssh_key_list.append(ssh_key['SSHPublicKeyId'])
	print(f"ssh_key_list for username, {username}: {ssh_key_list}")
	for keyid in ssh_key_list:
	client.delete_ssh_public_key(UserName=username, SSHPublicKeyId=keyid)
	print(f"Deleted public_ssh_key_id: {keyid} for username: {username}")


	def delete_svc_cred(username):
	svc_cred_list = []
	response = client.list_service_specific_credentials(UserName=username)
	for ServiceSpecificCredential in response['ServiceSpecificCredentials']:
	svc_cred_list.append(ServiceSpecificCredential['ServiceSpecificCredentialId'])
	print(f"svc_cred_list for username, {username}: {svc_cred_list}")
	for svc_cred in svc_cred_list:
	client.delete_service_specific_credential(UserName=username, ServiceSpecificCredentialId=svc_cred)
	print(f"Deleted svc_cred: {svc_cred} for username: {username}")

	def mfa_device(username):
	#list
	device_sn_list = []
	response = client.list_virtual_mfa_devices(AssignmentStatus='Assigned')
	#find any for the user
	for VirtualMFADevice in response['VirtualMFADevices']:
	if VirtualMFADevice['User']['UserName'] == username:
	device_sn_list.append(VirtualMFADevice['SerialNumber'])
	print(f"device_sn_list for username: {username} is: {device_sn_list}")
	#deactivate
	for sn in device_sn_list:
	client.deactivate_mfa_device(
	UserName=username,
	SerialNumber=sn
	)
	print(f"mfa device with serial_number: {sn} assigned to user: {username} have been deactivated")
	client.delete_virtual_mfa_device(
	SerialNumber=sn
	)
	print(f"mfa device with serial_number: {sn} assigned to user: {username} have been deleted")


	response = client.list_users()

	for user in response['Users']:
	tags = client.list_user_tags(UserName = user['UserName'])
	if tags['Tags']:
	for tag in tags['Tags']:
	if tag['Key'] == 'Type' and tag['Value'] == 'service-user':
	print(f"{user['UserName']} is a service account, not deleting...")
	else:
	# delete_profile(user['UserName'])
	# delete_access_key(user['UserName'])
	# delete_sign_cert(user['UserName'])
	# delete_pub_ssh(user['UserName'])
	# delete_svc_cred(user['UserName'])
	mfa_device(user['UserName'])

	# def lambda_handler(event, context):