AWS IAM User Secrets RotationΒΆ
Below repository Python scripts to automate part of the AWS IAM user secrets rotation process. The scripts are designed to create new AWS IAM credentials, update the corresponding secrets in Azure Key Vault, and restart the affected pods running in Azure Kubernetes Service (AKS).
https://github.com/majority-dev/platform-automation/tree/master/scripts/rotate-aws-secrets
π Rotation scriptΒΆ
The rotation process managed by these scripts includes the following automated steps:
-
Create New IAM User Credentials
Generates new access keys for the specified AWS IAM user(s). -
Update Azure Key Vault
Updates the secret value in Azure Key Vault with the newly generated AWS credentials. -
Restart AKS Pods
Triggers a restart of relevant AKS pods to ensure they load the updated secrets from the Key Vault.
These scripts are intended to streamline credential management and reduce manual overhead during routine secret rotation tasks.
π« Out of Scope (Manual Steps)ΒΆ
The following steps are not handled by the scripts and should be performed manually to complete the secrets rotation process:
-
Verify Old Credentials Are No Longer in Use
Ensure that no systems or applications are using the old IAM credentials before removal. -
Delete Old Secrets
Manually remove outdated secrets from AWS and Azure Key Vault once safe to do so.
π Scripts OverviewΒΆ
Below are the key scripts included in this repository:
rotate-aws-keys-backend-prod.pyrotate-aws-keys-backend-risk-prod.pyrotate-aws-keys-backend-stage.pyrotate-aws-keys-BI.py
π NotesΒΆ
- Remember to change the varriables to point to correct environment
- I have now moved these scripts to guthub from azure devops. I never got a chance to run these scripts after this move. You might have to add the required packages in pyproject.toml file