Allow deactivation/deletion of AWS access-keys
barnumbirr opened this issue · comments
Hello,
thanks for this neat utility, I mostly use it to rotate AWS access-keys.
To that effect, would it be possible to add flags to the rotate-keys
command to allow for deactivation/deletion of the previous, now rotated keys?
Thanks.
I guess there are a three cases to consider at the moment:
- When invoking the rotation command there are no keys present.
- Authentication fails, so nothing happens.
- When invoking the rotation command there is one key already present.
- The initial key is left alone.
- A second/new key is created and replaces the one previously present in the users config.
- End result: the initial key which was previously the only one is available but orphaned.
- When invoking the rotation command there are two keys already present.
- The oldest key is removed.
- The next-oldest is left alone, but will become orphaned.
- A new key is created and replaces the one previously present in the users config.
- End result: one key is removed, and one key is available but orphaned.
I guess you're really suggesting that after generating a new key, and updating the users configuration file, what we should do is then (optionally) remove any previous key? Above I'm calling that an orphaned key - as it is still available within the console, if you have the details saved elsewhere.
(We can't delete the key(s) before generating a new one - because then we'd be unauthenticated, and in the case of hitting an error we'd leave the user in a bad place.)
I'd be happy to add that for you, perhaps -cleanup
could be the flag to use? But if I misunderstood please do let me know.
I guess you're really suggesting that after generating a new key, and updating the users configuration file, what we should do is then (optionally) remove any previous key? Above I'm calling that an orphaned key - as it is still available within the console, if you have the details saved elsewhere.
This is exactly what I was thinking, apologies for the bad explanation. -cleanup
sounds like a reasonable flag.
You were clear enough that I understood :)
I'll sort it out shortly.