Skip to content

Latest commit

 

History

History
119 lines (101 loc) · 5.18 KB

File metadata and controls

119 lines (101 loc) · 5.18 KB

Validate Master CodeQL

Rotate AWS Access token stored in Github Repository secrets

Performs the following actions:

  1. Checks for existing IAM access and secret key pairs of the provided IAM user (IAM_USERNAME)
  2. If 2 sets of keys exists, the action will fail
  3. If 0 or 1 set of keys exists, the action will:
    1. Create a new key pair for the IAM user
    2. Update the Github secrets (GITHUB_ACCESS_KEY_NAME and GITHUB_SECRET_KEY_NAME) for all provided repositories (OWNER_REPOSITORY)
    3. Delete the original key pair from the IAM user (if 1 already exists)

Environment Variables

Variable Required Description Default
AWS_ACCESS_KEY_ID True Access Key ID to authenticate with AWS. You can use ${{secrets.ACCESS_KEY_ID}} N/A
AWS_SECRET_ACCESS_KEY True Secret Access Key ID to authenticate with AWS. You can use ${{secrets.SECRET_ACCESS_KEY_ID}} N/A
AWS_SESSION_TOKEN False Session Token for the current AWS session. Only required if you assume a role first. N/A
IAM_USERNAME False Name of IAM user being rotated, if not set the username which is used in the AWS credentials is used N/A
PERSONAL_ACCESS_TOKEN True Github Token with Repo Admin access of the target repo. As of 4/16/2020 ${{github.token}} does not have permission to query the Secrets API. The existing env var GITHUB_TOKEN which is added automatically to all runs does not have the access secrets. N/A
OWNER_REPOSITORY True The owner and repository name. For example, octocat/Hello-World. If being ran in the repo being updated, you can use ${{github.repository}}. Multiple repositories can be specified by a comma-separated list (e.g. OWNER_REPOSITORY: ${{ github.repository }},MyGitHubOrgOrUser/MyGitHubRepo). N/A
GITHUB_ACCESS_KEY_NAME False Name of the secret for the Access Key ID. Setting this overrides the default. access_key_id
GITHUB_SECRET_KEY_NAME False Name of the secret for the Secret Access Key ID. Setting this overrides the default. secret_key_id
GITHUB_ENVIRONMENT False Name of the Github environment where the secrets are stored. N/A

Example

Rotation every monday at 13:27 UTC

on:
  schedule:
    - cron: '27 13 * * 1' 

jobs:
  rotate:
    name: rotate iam user keys
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]

      - name: rotate aws keys
        uses: kneemaa/[email protected]
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
          IAM_USERNAME: 'iam-user-name'
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          OWNER_REPOSITORY: ${{ github.repository }}

Rotation every monday at 13:27 UTC for the dev Github environment secret

on:
  schedule:
    - cron: '27 13 * * 1' 

jobs:
  rotate:
    name: rotate iam user keys
    runs-on: ubuntu-latest
    environment: dev
    steps:
      - uses: actions/[email protected]

      - name: rotate aws keys
        uses: kneemaa/[email protected]
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
          IAM_USERNAME: 'iam-user-name'
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          OWNER_REPOSITORY: ${{ github.repository }}
          GITHUB_ENVIRONMENT: dev

Note that environment names must be set twice:

  • at the job level for Github workflow to know where to fetch the secrets
  • in the action's environment variable so that the action knows where to store the secret back

Adding Slack notification on failure only

on:
  schedule:
    - cron: '27 13 * * 1'

jobs:
  rotate:
    name: rotate iam user keys
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]

      - name: rotate aws keys
        uses: kneemaa/[email protected]
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
          IAM_USERNAME: 'iam-user-name'
          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          OWNER_REPOSITORY: ${{ github.repository }}

      - name: Send Slack Status
        if: failure()
        uses: 8398a7/[email protected]
        with:
          status: ${{job.status}}
          author_name: kneemaa-aws-rotation-action
          username: kneemaa-rotation-bot
          text: Rotating the token had a status of ${{ job.status }}
          channel: alerts-test
        env:
          SLACK_WEBHOOK_URL: https://hooks.slack.com/services/.../...

License

The Dockerfile and associated scripts and documentation in this project are released under the MIT License.