def delete_user(module, iam, name):
try:
current_keys = [ck['access_key_id'] for ck in
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
for key in current_keys:
iam.delete_access_key(key, name)
del_meta = iam.delete_user(name).delete_user_response
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.get_all_user_policies(name).list_user_policies_result.policy_names:
iam.delete_user_policy(name, policy)
try:
del_meta = iam.delete_user(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
return del_meta, name, changed
def delete_user(module, iam, name):
try:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
for key in current_keys:
iam.delete_access_key(key, name)
del_meta = iam.delete_user(name).delete_user_response
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.get_all_user_policies(
name).list_user_policies_result.policy_names:
iam.delete_user_policy(name, policy)
try:
del_meta = iam.delete_user(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(
changed=changed,
msg=
"All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
return del_meta, name, changed
def delete_access_key(access_key_id,username , age):
print "Delete Access Key " + access_key_id + " for Username " + username + " age " + str(age)
iam = boto3.client('iam')
iam.delete_access_key(
AccessKeyId=access_key_id,
UserName=username
)
def main():
"""The main function."""
parser = argparse.ArgumentParser(description="Rotate Access Keys.")
parser.add_argument(
"-a",
"--access_key_id",
help="The access key to rotate and use for authentication."
)
parser.add_argument(
"-s",
"--secret_access_key",
help="The secret key to rotate and use for authentication."
)
args = parser.parse_args()
if not args.access_key_id:
args.access_key_id = raw_input("Enter Access Key: ")
if not args.secret_access_key:
args.secret_access_key = raw_input("Enter Secret Key: ")
iam = boto.iam.connection.IAMConnection(
aws_access_key_id=args.access_key_id,
aws_secret_access_key=args.secret_access_key
)
get_user_response = iam.get_user()['get_user_response']
get_user_result = get_user_response['get_user_result']
user = get_user_result['user']
user_name = user['user_name']
try:
response = iam.create_access_key(user_name)
except boto.exception.BotoServerError as exception:
print "Cannot create new keys: %s" % exception
raise
ak_response = response['create_access_key_response']
access_key = ak_response['create_access_key_result']['access_key']
print """Access Key:\t%s\nSecret Key:\t%s""" % (
access_key['access_key_id'],
access_key['secret_access_key']
)
ans = raw_input(
"Ready to delete Access Key %s? (yes/no) " % args.access_key_id
)
if ans == "yes":
try:
iam.delete_access_key(args.access_key_id, user_name)
except boto.exception.BotoServerError as exception:
print "Cannot remove old key: %s" % exception
raise
else:
print "Warning: your old Access Key was kept.",
print " Be sure to clean up the mess."
def main():
"""The main function."""
parser = argparse.ArgumentParser(description="Rotate Access Keys.")
parser.add_argument(
"-a",
"--access_key_id",
help="The access key to rotate and use for authentication.")
parser.add_argument(
"-s",
"--secret_access_key",
help="The secret key to rotate and use for authentication.")
args = parser.parse_args()
if not args.access_key_id:
args.access_key_id = raw_input("Enter Access Key: ")
if not args.secret_access_key:
args.secret_access_key = raw_input("Enter Secret Key: ")
iam = boto.iam.connection.IAMConnection(
aws_access_key_id=args.access_key_id,
aws_secret_access_key=args.secret_access_key)
get_user_response = iam.get_user()['get_user_response']
get_user_result = get_user_response['get_user_result']
user = get_user_result['user']
user_name = user['user_name']
try:
response = iam.create_access_key(user_name)
except boto.exception.BotoServerError as exception:
print "Cannot create new keys: %s" % exception
raise
ak_response = response['create_access_key_response']
access_key = ak_response['create_access_key_result']['access_key']
print """Access Key:\t%s\nSecret Key:\t%s""" % (
access_key['access_key_id'], access_key['secret_access_key'])
ans = raw_input("Ready to delete Access Key %s? (yes/no) " %
args.access_key_id)
if ans == "yes":
try:
iam.delete_access_key(args.access_key_id, user_name)
except boto.exception.BotoServerError as exception:
print "Cannot remove old key: %s" % exception
raise
else:
print "Warning: your old Access Key was kept.",
print " Be sure to clean up the mess."
def delete_dependencies_first(module, iam, name):
changed = False
# try to delete any keys
try:
current_keys = [ck['access_key_id'] for ck in
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
for key in current_keys:
iam.delete_access_key(key, name)
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg="Failed to delete keys: %s" % err, exception=traceback.format_exc())
# try to delete login profiles
try:
login_profile = iam.get_login_profiles(name).get_login_profile_response
iam.delete_login_profile(name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'Login Profile for User ' + name + ' cannot be found.' not in error_msg:
module.fail_json(changed=changed, msg="Failed to delete login profile: %s" % err, exception=traceback.format_exc())
# try to detach policies
try:
for policy in iam.get_all_user_policies(name).list_user_policies_result.policy_names:
iam.delete_user_policy(name, policy)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'must detach all policies first' in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
module.fail_json(changed=changed, msg="Failed to delete policies: %s" % err, exception=traceback.format_exc())
# try to deactivate associated MFA devices
try:
mfa_devices = iam.get_all_mfa_devices(name).get('list_mfa_devices_response', {}).get('list_mfa_devices_result', {}).get('mfa_devices', [])
for device in mfa_devices:
iam.deactivate_mfa_device(name, device['serial_number'])
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg="Failed to deactivate associated MFA devices: %s" % err, exception=traceback.format_exc())
return changed
def delete_dependencies_first(module, iam, name):
changed = False
# try to delete any keys
try:
current_keys = [ck['access_key_id'] for ck in
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
for key in current_keys:
iam.delete_access_key(key, name)
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg="Failed to delete keys: %s" % err, exception=traceback.format_exc())
# try to delete login profiles
try:
login_profile = iam.get_login_profiles(name).get_login_profile_response
iam.delete_login_profile(name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'Cannot find Login Profile' not in error_msg:
module.fail_json(changed=changed, msg="Failed to delete login profile: %s" % err, exception=traceback.format_exc())
# try to detach policies
try:
for policy in iam.get_all_user_policies(name).list_user_policies_result.policy_names:
iam.delete_user_policy(name, policy)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'must detach all policies first' in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
module.fail_json(changed=changed, msg="Failed to delete policies: %s" % err, exception=traceback.format_exc())
# try to deactivate associated MFA devices
try:
mfa_devices = iam.get_all_mfa_devices(name).get('list_mfa_devices_response', {}).get('list_mfa_devices_result', {}).get('mfa_devices', [])
for device in mfa_devices:
iam.deactivate_mfa_device(name, device['serial_number'])
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg="Failed to deactivate associated MFA devices: %s" % err, exception=traceback.format_exc())
return changed
def delete_user(module, iam, name):
del_meta = ''
try:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
for key in current_keys:
iam.delete_access_key(key, name)
try:
login_profile = iam.get_login_profiles(
name).get_login_profile_response
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('Cannot find Login Profile') in error_msg:
del_meta = iam.delete_user(name).delete_user_response
else:
if not args.secret_access_key:
args.secret_access_key = raw_input("Enter Secret Key: ")
iam = boto.iam.connection.IAMConnection(
aws_access_key_id=args.access_key_id,
aws_secret_access_key=args.secret_access_key)
try:
response = iam.create_access_key(args.user)
except boto.exception.BotoServerError as e:
print "Cannot create new keys: %s" % e
raise
access_key = response['create_access_key_response'][
'create_access_key_result']['access_key']
print """Access Key: %s
Secret Key. %s""" % (access_key['access_key_id'],
access_key['secret_access_key'])
ans = raw_input("Ready to delete Access Key %s? (yes/no) " %
args.access_key_id)
if ans == "yes":
try:
iam.delete_access_key(args.access_key_id, args.user)
except boto.exception.BotoServerError as e:
print "Cannot remove old key: %s" % e
raise
else:
print "Warning: your old Access Key was kept. Be sure to clean up the mess."
if keys and key_state:
for access_key in keys:
if access_key in current_keys:
for current_key, current_key_state in zip(current_keys, status):
if key_state != current_key_state.lower():
try:
iam.update_access_key(
access_key, key_state.capitalize(), user_name=name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
if key_state == 'remove':
try:
iam.delete_access_key(access_key, user_name=name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
try:
final_keys, final_key_status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata]
def update_user(module, iam, name, new_name, new_path, key_state, key_count,
keys, pwd, updated):
changed = False
name_change = False
if updated and new_name:
name = new_name
try:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
status = [
ck['status'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
key_qty = len(current_keys)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found' in error_msg and updated:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
new_name).list_access_keys_result.access_key_metadata
]
status = [
ck['status'] for ck in iam.get_all_access_keys(
new_name).list_access_keys_result.access_key_metadata
]
name = new_name
else:
module.fail_json(changed=False, msg=str(err))
updated_key_list = {}
if new_name or new_path:
c_path = iam.get_user(name).get_user_result.user['path']
if (name != new_name) or (c_path != new_path):
changed = True
try:
if not updated:
user = iam.update_user(
name, new_user_name=new_name, new_path=new_path
).update_user_response.response_metadata
else:
user = iam.update_user(
name, new_path=new_path
).update_user_response.response_metadata
user['updates'] = dict(old_username=name,
new_username=new_name,
old_path=c_path,
new_path=new_path)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=False, msg=str(err))
else:
if not updated:
name_change = True
if pwd:
try:
iam.update_login_profile(name, pwd)
changed = True
except boto.exception.BotoServerError:
try:
iam.create_login_profile(name, pwd)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(str(err))
if 'Password does not conform to the account password policy' in error_msg:
module.fail_json(changed=False,
msg="Password doesn't conform to policy")
else:
module.fail_json(msg=error_msg)
try:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
status = [
ck['status'] for ck in iam.get_all_access_keys(
name).list_access_keys_result.access_key_metadata
]
key_qty = len(current_keys)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found' in error_msg and updated:
current_keys = [
ck['access_key_id'] for ck in iam.get_all_access_keys(
new_name).list_access_keys_result.access_key_metadata
]
status = [
ck['status'] for ck in iam.get_all_access_keys(
new_name).list_access_keys_result.access_key_metadata
]
name = new_name
else:
module.fail_json(changed=False, msg=str(err))
new_keys = []
if key_state == 'create':
try:
while key_count > key_qty:
new_keys.append(
iam.create_access_key(
user_name=name).create_access_key_response.
create_access_key_result.access_key)
key_qty += 1
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
if keys and key_state:
for access_key in keys:
if key_state in ('active', 'inactive'):
if access_key in current_keys:
for current_key, current_key_state in zip(
current_keys, status):
if key_state != current_key_state.lower():
try:
iam.update_access_key(access_key,
key_state.capitalize(),
user_name=name)
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
else:
module.fail_json(msg="Supplied keys not found for %s. "
"Current keys: %s. "
"Supplied key(s): %s" %
(name, current_keys, keys))
if key_state == 'remove':
if access_key in current_keys:
try:
iam.delete_access_key(access_key, user_name=name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
try:
final_keys, final_key_status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata]
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
for fk, fks in zip(final_keys, final_key_status):
updated_key_list.update({fk: fks})
return name_change, updated_key_list, changed, new_keys
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated):
changed = False
name_change = False
if updated and new_name:
name = new_name
try:
current_keys, status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata]
key_qty = len(current_keys)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found' in error_msg and updated:
current_keys, status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata]
name = new_name
else:
module.fail_json(changed=False, msg=str(err))
updated_key_list = {}
if new_name or new_path:
c_path = iam.get_user(name).get_user_result.user['path']
if (name != new_name) or (c_path != new_path):
changed = True
try:
if not updated:
user = iam.update_user(
name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata
else:
user = iam.update_user(
name, new_path=new_path).update_user_response.response_metadata
user['updates'] = dict(
old_username=name, new_username=new_name, old_path=c_path, new_path=new_path)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=False, msg=str(err))
else:
if not updated:
name_change = True
if pwd:
try:
iam.update_login_profile(name, pwd)
changed = True
except boto.exception.BotoServerError:
try:
iam.create_login_profile(name, pwd)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(str(err))
if 'Password does not conform to the account password policy' in error_msg:
module.fail_json(changed=False, msg="Password doesn't conform to policy")
else:
module.fail_json(msg=error_msg)
if key_state == 'create':
try:
while key_count > key_qty:
new_key = iam.create_access_key(
user_name=name).create_access_key_response.create_access_key_result.access_key
key_qty += 1
changed = True
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
if keys and key_state:
for access_key in keys:
if access_key in current_keys:
for current_key, current_key_state in zip(current_keys, status):
if key_state != current_key_state.lower():
try:
iam.update_access_key(
access_key, key_state.capitalize(), user_name=name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
if key_state == 'remove':
try:
iam.delete_access_key(access_key, user_name=name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
try:
final_keys, final_key_status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata]
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
for fk, fks in zip(final_keys, final_key_status):
updated_key_list.update({fk: fks})
return name_change, updated_key_list, changed
if keys and key_state:
for access_key in keys:
if access_key in current_keys:
for current_key, current_key_state in zip(current_keys, status):
if key_state != current_key_state.lower():
try:
iam.update_access_key(
access_key, key_state.capitalize(), user_name=name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
if key_state == 'remove':
try:
iam.delete_access_key(access_key, user_name=name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=False, msg=str(err))
else:
changed = True
try:
final_keys, final_key_status = \
[ck['access_key_id'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata],\
[ck['status'] for ck in
iam.get_all_access_keys(name).
list_access_keys_result.
access_key_metadata]
args.secret_access_key = raw_input("Enter Secret Key: ")
iam = boto.iam.connection.IAMConnection(
aws_access_key_id=args.access_key_id,
aws_secret_access_key=args.secret_access_key
)
try:
response = iam.create_access_key(args.user)
except boto.exception.BotoServerError as e:
print "Cannot create new keys: %s" % e
raise
access_key = response['create_access_key_response']['create_access_key_result']['access_key']
print """Access Key: %s
Secret Key. %s""" % (
access_key['access_key_id'],
access_key['secret_access_key']
)
ans = raw_input("Ready to delete Access Key %s? (yes/no) " % args.access_key_id)
if ans == "yes":
try:
iam.delete_access_key(args.access_key_id, args.user)
except boto.exception.BotoServerError as e:
print "Cannot remove old key: %s" % e
raise
else:
print "Warning: your old Access Key was kept. Be sure to clean up the mess."