dave/site
1
0
Fork 0
mirror of https://github.com/davegallant/davegallant.github.io.git synced 2025-08-14 20:30:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: 87cc2f1b80c237b8cc3e33afaf30f2b9cd5d6fb5

Browse Source
This commit is contained in:
davegallant
2022-12-12 02:54:14 +00:00
parent a62946b1ff
commit b49281dc1e
12 changed files with 68 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
blog/2021/09/17/automatically-rotating-aws-access-keys/index.html
View File

@@ -186,10 +186,8 @@ One min read
</div>
</div>
</header>
<div class="container entry-content">
<p>Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a <a href=https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py>script</a> since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.</p>
<p>In the longer term, migrating my local workflows to <a href=https://github.com/99designs/aws-vault>aws-vault</a> seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where <a href=https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html>AWS suggests</a>). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS&rsquo;s secure keystore. There is even a <a href=https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials>rotate command</a> included.</p>
</div>
<div class="container entry-content"><p>Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a <a href=https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py>script</a> since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.</p>
<p>In the longer term, migrating my local workflows to <a href=https://github.com/99designs/aws-vault>aws-vault</a> seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where <a href=https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html>AWS suggests</a>). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS&rsquo;s secure keystore. There is even a <a href=https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials>rotate command</a> included.</p></div>
<footer class=entry-footer>
<div class="container sep-before"><div class=tags><svg class="icon" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 24 24" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" aria-hidden="true"><path d="M20.59 13.41l-7.17 7.17a2 2 0 01-2.83.0L2 12V2H12l8.59 8.59a2 2 0 010 2.82z"/><line x1="7" y1="7" x2="7" y2="7"/></svg>
<span class=screen-reader-text>Tags: </span><a class=tag href=/tags/aws/>aws</a>, <a class=tag href=/tags/python/>python</a>, <a class=tag href=/tags/security/>security</a>, <a class=tag href=/tags/aws-vault/>aws-vault</a></div>