Use AWS IAM for ssh key management

aws-iam-authorized-keys

#!/bin/sh 
#
# aws-iam-authorized-keys
# author: Jonathan Cormier <jonathan@cormier.co>
#
# Last modified: Jan 29, 2017
# 
# Arguments: $1 (username from sshd)
#
REMOVE_INACTIVE_KEYS=1

# User? Stop! Do not edit below this line without knowledge of how this works.
# Thank you, have a good day.
USERNAME=$1
AWSCLI=/usr/bin/aws
LOGGER=/usr/bin/logger

# No username? We're done.
if [ -z "$USERNAME" ]; then
	exit
fi

SSH_LIST_QUERY="SSHPublicKeys[?Status=='Active'].[SSHPublicKeyId]"

# Query for all keys
if [ $REMOVE_INACTIVE_KEYS -eq 0 ]; then
	SSH_LIST_QUERY="SSHPublicKeys[].[SSHPublicKeyId]"
fi

# List Keys
SSHPUBKEYS=$(					\
	$AWSCLI iam list-ssh-public-keys	\
	--user-name $USERNAME 			\
	--query $SSH_LIST_QUERY			\
	--output text				\
)

# Log users with no keys
if [ -z "$SSHPUBKEYS" ]; then
	$LOGGER --priority authpriv.warn "No SSH public keys found for $USERNAME"
	exit
fi

# Loop through keys, most times only one (1). But, there could be more.
for KEY in $SSHPUBKEYS; do
	# Retrieve SSH public key
	SSHPUBKEY=$(					\
		$AWSCLI iam get-ssh-public-key 		\
		--user-name $USERNAME			\
		--ssh-public-key-id $KEY		\
		--encoding SSH				\
		--output text				\
		--query SSHPublicKey.SSHPublicKeyBody	\
	)

	echo "$SSHPUBKEY"
done

sshd_config

# Check AWS IAM for authorized keys
AuthorizedKeysCommand /usr/local/bin/aws-iam-authorized-keys
AuthorizedKeysCommandUser root

SSHKeyRole

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}