mirror of
https://github.com/davegallant/davegallant.github.io.git
synced 2025-08-06 00:33:39 +00:00
391 lines
13 KiB
HTML
391 lines
13 KiB
HTML
<!DOCTYPE html>
|
|
<html lang='en' dir='auto'><head>
|
|
<meta charset='utf-8'>
|
|
<meta name='viewport' content='width=device-width, initial-scale=1'>
|
|
<meta name='description' content=''>
|
|
<meta name='theme-color' content='#8979b3'>
|
|
|
|
<meta property='og:title' content='Automatically Rotating AWS Access Keys • davegallant'>
|
|
<meta property='og:description' content=''>
|
|
<meta property='og:url' content='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
|
|
<meta property='og:site_name' content='davegallant'>
|
|
<meta property='og:type' content='article'><meta property='article:section' content='post'><meta property='article:tag' content='aws'><meta property='article:tag' content='python'><meta property='article:tag' content='security'><meta property='article:tag' content='aws-vault'><meta property='article:published_time' content='2021-09-17T12:48:33-04:00'/><meta property='article:modified_time' content='2021-09-17T12:48:33-04:00'/><meta name='twitter:card' content='summary'>
|
|
|
|
<meta name="generator" content="Hugo 0.92.2" />
|
|
|
|
<title>Automatically Rotating AWS Access Keys • davegallant</title>
|
|
<link rel='canonical' href='/blog/2021/09/17/automatically-rotating-aws-access-keys/'>
|
|
|
|
|
|
<link rel='icon' href='/favicon.ico'>
|
|
<link rel='stylesheet' href='/assets/css/main.ab98e12b.css'><link rel='stylesheet' href='/css/custom.css'><style>
|
|
:root{--color-accent:#8979b3;}
|
|
</style>
|
|
|
|
<script type="application/javascript">
|
|
var doNotTrack = false;
|
|
if (!doNotTrack) {
|
|
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
|
|
ga('create', 'UA-98710982-2', 'auto');
|
|
|
|
ga('send', 'pageview');
|
|
}
|
|
</script>
|
|
<script async src='https://www.google-analytics.com/analytics.js'></script>
|
|
|
|
|
|
|
|
</head>
|
|
<body class='page type-post has-sidebar'>
|
|
|
|
<div class='site'><div id='sidebar' class='sidebar'>
|
|
<a class='screen-reader-text' href='#main-menu'>Skip to Main Menu</a>
|
|
|
|
<div class='container'><section class='widget widget-about sep-after'>
|
|
<header>
|
|
|
|
<div class='logo'>
|
|
<a href='/'>
|
|
<img src='/images/logo.png'>
|
|
</a>
|
|
</div>
|
|
|
|
<h2 class='title site-title '>
|
|
<a href='/'>
|
|
davegallant
|
|
</a>
|
|
</h2>
|
|
<div class='desc'>
|
|
personal blog
|
|
</div>
|
|
</header>
|
|
|
|
</section>
|
|
<section class='widget widget-taxonomy_cloud sep-after'>
|
|
<header>
|
|
<h4 class='title widget-title'>Tags</h4>
|
|
</header>
|
|
|
|
<div class='container list-container'>
|
|
<ul class='list taxonomy-cloud'><li>
|
|
<a href='/tags/adguard/' style='font-size:1em'>adguard</a>
|
|
</li><li>
|
|
<a href='/tags/aws/' style='font-size:1em'>aws</a>
|
|
</li><li>
|
|
<a href='/tags/aws-vault/' style='font-size:1em'>aws-vault</a>
|
|
</li><li>
|
|
<a href='/tags/backup/' style='font-size:1em'>backup</a>
|
|
</li><li>
|
|
<a href='/tags/containers/' style='font-size:1em'>containers</a>
|
|
</li><li>
|
|
<a href='/tags/degoogle/' style='font-size:1em'>degoogle</a>
|
|
</li><li>
|
|
<a href='/tags/docker/' style='font-size:1em'>docker</a>
|
|
</li><li>
|
|
<a href='/tags/dotfiles/' style='font-size:1em'>dotfiles</a>
|
|
</li><li>
|
|
<a href='/tags/gmail/' style='font-size:1em'>gmail</a>
|
|
</li><li>
|
|
<a href='/tags/grafana/' style='font-size:1em'>grafana</a>
|
|
</li><li>
|
|
<a href='/tags/home-manager/' style='font-size:1em'>home-manager</a>
|
|
</li><li>
|
|
<a href='/tags/homelab/' style='font-size:1em'>homelab</a>
|
|
</li><li>
|
|
<a href='/tags/jellyfin/' style='font-size:1em'>jellyfin</a>
|
|
</li><li>
|
|
<a href='/tags/k3s/' style='font-size:1em'>k3s</a>
|
|
</li><li>
|
|
<a href='/tags/linux/' style='font-size:1em'>linux</a>
|
|
</li><li>
|
|
<a href='/tags/lxc/' style='font-size:1em'>lxc</a>
|
|
</li><li>
|
|
<a href='/tags/netdata/' style='font-size:1em'>netdata</a>
|
|
</li><li>
|
|
<a href='/tags/nix/' style='font-size:1em'>nix</a>
|
|
</li><li>
|
|
<a href='/tags/pihole/' style='font-size:1em'>pihole</a>
|
|
</li><li>
|
|
<a href='/tags/plex/' style='font-size:1em'>plex</a>
|
|
</li><li>
|
|
<a href='/tags/podman/' style='font-size:1em'>podman</a>
|
|
</li><li>
|
|
<a href='/tags/proxmox/' style='font-size:1em'>proxmox</a>
|
|
</li><li>
|
|
<a href='/tags/python/' style='font-size:2em'>python</a>
|
|
</li><li>
|
|
<a href='/tags/ransomware/' style='font-size:1em'>ransomware</a>
|
|
</li><li>
|
|
<a href='/tags/security/' style='font-size:1em'>security</a>
|
|
</li><li>
|
|
<a href='/tags/synology/' style='font-size:1em'>synology</a>
|
|
</li><li>
|
|
<a href='/tags/tailscale/' style='font-size:1em'>tailscale</a>
|
|
</li><li>
|
|
<a href='/tags/virtualization/' style='font-size:1em'>virtualization</a>
|
|
</li><li>
|
|
<a href='/tags/vpn/' style='font-size:1em'>vpn</a>
|
|
</li></ul>
|
|
</div>
|
|
|
|
|
|
</section>
|
|
<section class='widget widget-social_menu sep-after'><nav aria-label='Social Menu'>
|
|
<ul><li>
|
|
<a href='https://github.com/davegallant' target='_blank' rel='noopener me'>
|
|
<span class='screen-reader-text'>Open Github account in new tab</span><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><path d="M9 19c-5 1.5-5-2.5-7-3m14 6v-3.87a3.37 3.37 0 0 0-.94-2.61c3.14-.35 6.44-1.54 6.44-7A5.44 5.44 0 0 0 20 4.77 5.07 5.07 0 0 0 19.91 1S18.73.65 16 2.48a13.38 13.38 0 0 0-7 0C6.27.65 5.09 1 5.09 1A5.07 5.07 0 0 0 5 4.77a5.44 5.44 0 0 0-1.5 3.78c0 5.42 3.3 6.61 6.44 7A3.37 3.37 0 0 0 9 18.13V22" />
|
|
</svg>
|
|
</a>
|
|
</li><li>
|
|
<a href='https://twitter.com/dave_gallant_' target='_blank' rel='noopener me'>
|
|
<span class='screen-reader-text'>Open Twitter account in new tab</span><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><path d="M23 3a10.9 10.9 0 0 1-3.14 1.53 4.48 4.48 0 0 0-7.86 3v1A10.66 10.66 0 0 1 3 4s-4 9 5 13a11.64 11.64 0 0 1-7 2c9 5 20 0 20-11.5a4.5 4.5 0 0 0-.08-.83A7.72 7.72 0 0 0 23 3z" />
|
|
</svg>
|
|
</a>
|
|
</li><li>
|
|
<a href='mailto:davegallant@gmail.com' target='_blank' rel='noopener me'>
|
|
<span class='screen-reader-text'>Contact via Email</span><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z" />
|
|
<polyline points="22,6 12,13 2,6" />
|
|
</svg>
|
|
</a>
|
|
</li><li>
|
|
<a href='https://linkedin.com/in/dave-gallant' target='_blank' rel='noopener me'>
|
|
<span class='screen-reader-text'>Open Linkedin account in new tab</span><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z" />
|
|
<rect x="2" y="9" width="4" height="12" />
|
|
<circle cx="4" cy="4" r="2" />
|
|
</svg>
|
|
</a>
|
|
</li></ul>
|
|
</nav>
|
|
</section></div>
|
|
|
|
<div class='sidebar-overlay'></div>
|
|
</div><div class='main'><nav id='main-menu' class='menu main-menu' aria-label='Main Menu'>
|
|
<div class='container'>
|
|
<a class='screen-reader-text' href='#content'>Skip to Content</a>
|
|
|
|
<button id='sidebar-toggler' class='sidebar-toggler' aria-controls='sidebar'>
|
|
<span class='screen-reader-text'>Toggle Sidebar</span>
|
|
<span class='open'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><line x1="3" y1="12" x2="21" y2="12" />
|
|
<line x1="3" y1="6" x2="21" y2="6" />
|
|
<line x1="3" y1="18" x2="21" y2="18" />
|
|
</svg>
|
|
</span>
|
|
<span class='close'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><line x1="18" y1="6" x2="6" y2="18" />
|
|
<line x1="6" y1="6" x2="18" y2="18" />
|
|
</svg>
|
|
</span>
|
|
</button>
|
|
<ul><li class='item'>
|
|
<a href='/'>Home</a>
|
|
</li><li class='item'>
|
|
<a href='/about/'>About</a>
|
|
</li><li class='item'>
|
|
<a href='/index.xml'>RSS</a>
|
|
</li></ul>
|
|
</div>
|
|
</nav><div class='header-widgets'>
|
|
<div class='container'></div>
|
|
</div>
|
|
|
|
<header id='header' class='header site-header'>
|
|
<div class='container sep-after'>
|
|
</div>
|
|
</header>
|
|
|
|
<main id='content'>
|
|
|
|
|
|
<article lang='en' class='entry'>
|
|
<header class='header entry-header'>
|
|
<div class='container sep-after'>
|
|
<div class='header-info'>
|
|
<h1 class='title'>Automatically Rotating AWS Access Keys</h1>
|
|
|
|
|
|
</div>
|
|
<div class='entry-meta'>
|
|
<span class='posted-on'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><rect x="3" y="4" width="18" height="18" rx="2" ry="2" />
|
|
<line x1="16" y1="2" x2="16" y2="6" />
|
|
<line x1="8" y1="2" x2="8" y2="6" />
|
|
<line x1="3" y1="10" x2="21" y2="10" />
|
|
</svg>
|
|
<span class='screen-reader-text'>Posted on </span>
|
|
<time class='entry-date' datetime='2021-09-17T12:48:33-04:00'>2021, Sep 17</time>
|
|
</span>
|
|
|
|
|
|
|
|
<span class='reading-time'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><circle cx="12" cy="12" r="10" />
|
|
<polyline points="12 6 12 12 15 15" />
|
|
</svg>
|
|
One min read
|
|
</span>
|
|
|
|
|
|
</div>
|
|
|
|
|
|
</div>
|
|
</header>
|
|
|
|
|
|
|
|
|
|
<div class='container entry-content'>
|
|
<p>Rotating credentials is a security best practice. This morning, I read a question about automatically rotating AWS Access Keys without having to go through the hassle of navigating the AWS console. There are some existing solutions already, but I decided to write a <a href="https://gist.github.com/davegallant/2c042686a78684a657fe99e20fa7a924#file-aws_access_key_rotator-py">script</a> since it was incredibly simple. The script could be packed up as a systemd/launchd service to continually rotate access keys in the background.</p>
|
|
<p>In the longer term, migrating my local workflows to <a href="https://github.com/99designs/aws-vault">aws-vault</a> seems like a more secure solution. This would mean that credentials (even temporary session credentials) never have to be written in plaintext to disk (i.e. where <a href="https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html">AWS suggests</a>). Any existing applications, such as terraform, could be have their credentials passed to them from aws-vault, which retrieves them from the OS’s secure keystore. There is even a <a href="https://github.com/99designs/aws-vault/blob/master/USAGE.md#rotating-credentials">rotate command</a> included.</p>
|
|
</div>
|
|
|
|
|
|
<footer class='entry-footer'>
|
|
<div class='container sep-before'><div class='tags'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><path d="M20.59,13.41l-7.17,7.17a2,2,0,0,1-2.83,0L2,12V2H12l8.59,8.59A2,2,0,0,1,20.59,13.41Z" />
|
|
<line x1="7" y1="7" x2="7" y2="7" />
|
|
</svg>
|
|
<span class='screen-reader-text'>Tags: </span><a class='tag' href='/tags/aws/'>aws</a>, <a class='tag' href='/tags/python/'>python</a>, <a class='tag' href='/tags/security/'>security</a>, <a class='tag' href='/tags/aws-vault/'>aws-vault</a></div>
|
|
|
|
</div>
|
|
</footer>
|
|
|
|
|
|
</article>
|
|
|
|
<nav class='entry-nav'>
|
|
<div class='container'><div class='prev-entry sep-before'>
|
|
<a href='/blog/2021/09/08/why-i-threw-out-my-dotfiles/'>
|
|
<span aria-hidden='true'><svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><line x1="20" y1="12" x2="4" y2="12" />
|
|
<polyline points="10 18 4 12 10 6" />
|
|
</svg>
|
|
Previous</span>
|
|
<span class='screen-reader-text'>Previous post: </span>Why I Threw Out My Dotfiles</a>
|
|
</div><div class='next-entry sep-before'>
|
|
<a href='/blog/2021/10/11/replacing-docker-with-podman-on-macos-and-linux/'>
|
|
<span class='screen-reader-text'>Next post: </span>Replacing docker with podman on macOS (and Linux)<span aria-hidden='true'>Next <svg
|
|
class="icon"
|
|
xmlns="http://www.w3.org/2000/svg"
|
|
viewbox="0 0 24 24"
|
|
stroke-linecap="round"
|
|
stroke-linejoin="round"
|
|
stroke-width="2"
|
|
aria-hidden="true"
|
|
><line x1="4" y1="12" x2="20" y2="12" />
|
|
<polyline points="14 6 20 12 14 18" />
|
|
</svg>
|
|
</span>
|
|
</a>
|
|
</div></div>
|
|
</nav>
|
|
|
|
|
|
<section id='comments' class='comments'>
|
|
<div class='container sep-before'>
|
|
<div class='comments-area'><script src='https://utteranc.es/client.js'
|
|
repo='davegallant/davegallant.github.io'
|
|
issue-term='pathname'
|
|
|
|
theme='github-light'
|
|
crossorigin='anonymous' async>
|
|
</script>
|
|
</div>
|
|
</div>
|
|
</section>
|
|
|
|
</main>
|
|
|
|
<footer id='footer' class='footer'>
|
|
<div class='container sep-before'><div class='copyright'>
|
|
<p> © 2020-2022 Dave Gallant </p>
|
|
</div>
|
|
|
|
</div>
|
|
</footer>
|
|
|
|
</div>
|
|
</div><script>window.__assets_js_src="/assets/js/"</script>
|
|
|
|
<script src='/assets/js/main.c3bcf2df.js'></script>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|