Giters

skx / aws-utils

A small collection of AWS utilities, packaged as a single standalone binary.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Allow deactivation/deletion of AWS access-keys

barnumbirr opened this issue · comments

commented

Hello,

thanks for this neat utility, I mostly use it to rotate AWS access-keys.
To that effect, would it be possible to add flags to the rotate-keys command to allow for deactivation/deletion of the previous, now rotated keys?

Thanks.

commented

I guess there are a three cases to consider at the moment:

  • When invoking the rotation command there are no keys present.
    • Authentication fails, so nothing happens.
  • When invoking the rotation command there is one key already present.
    • The initial key is left alone.
    • A second/new key is created and replaces the one previously present in the users config.
    • End result: the initial key which was previously the only one is available but orphaned.
  • When invoking the rotation command there are two keys already present.
    • The oldest key is removed.
    • The next-oldest is left alone, but will become orphaned.
    • A new key is created and replaces the one previously present in the users config.
    • End result: one key is removed, and one key is available but orphaned.

I guess you're really suggesting that after generating a new key, and updating the users configuration file, what we should do is then (optionally) remove any previous key? Above I'm calling that an orphaned key - as it is still available within the console, if you have the details saved elsewhere.

(We can't delete the key(s) before generating a new one - because then we'd be unauthenticated, and in the case of hitting an error we'd leave the user in a bad place.)

I'd be happy to add that for you, perhaps -cleanup could be the flag to use? But if I misunderstood please do let me know.

commented

I guess you're really suggesting that after generating a new key, and updating the users configuration file, what we should do is then (optionally) remove any previous key? Above I'm calling that an orphaned key - as it is still available within the console, if you have the details saved elsewhere.

This is exactly what I was thinking, apologies for the bad explanation. -cleanup sounds like a reasonable flag.

commented

You were clear enough that I understood :)

I'll sort it out shortly.