Detect when Temporary Credentials Present in Local awscli Config
Issue #1
duplicate
Detect when Temporary Credentials Present in Local awscli Config. When temp credentials exist, keyup should be prohibited from rotating keys if and only if, a token is active.
If a token used to gen temp credentials is expired, keyup should rotate credentials.
Rationale: * If access keyset credentials are rotated with an ACITVE token, any active temp credentials will immediately become invalid bc the token used to generate them is no longer valid. (?)
Comments (5)
-
reporter -
reporter - marked as critical
-
reporter Logic:
- Detect any awscli profiles which have 'aws_security_token' entry (iam users will not have)
- Try to auth using these profiles to see if any are active by using keys with authenticated() function. If return True >> active
- If some active, exit. Don't rotate creds
- If all inactive, >> rotate credentials
-
reporter Correct Logic:
- Map profile names to Temporary profile names in order to discover which represent Iam users.
- For the temporary credentials which represent real iam users, try to authenticate using the access key and secret key.
- If any authenticate, exit without rotating keys
- If all authentication fail, trigger rotation ( temporary credentials are expired.
Authentication using all temp credentials cannot be tried; will set of cw filter metric alarms for
Auth Failure
-
reporter - changed status to duplicate
Duplicate of
#13. - Log in to comment
Logic used to detect ACTIVE token: