AWS IAM key refresh/rotate - key pair Management

Version 2

    What is 'keyFresh' tool?

         keyFresh is a unix based script which refreshes the IAM access & secret key for a given run. Updates the refreshed IAM access/secret key in Informatica Cloud S3 connections. Here IAM key 'refresh' refers to generation of new access/secret key-pair, and update of old one.

         If you have a mandate to refresh or rotate your IAM key pair every 45, 60 or 90 day time period; you can use this script to perform the IAM key rotation/refresh. You can schedule this script as part of cron job in unix

     

    How to setup 'keyFresh' ?

         'keyFresh' script uses aws cli to manage IAM access/secret keys & uses curl to perform Informatica cloud ReST api calls. It requires users to configure inputs in the property file 'env'. following are the inputs user need to configure:

      • aws user name
      • Informatica Cloud user and its encrypted password in a separate file 'passwd.encrypt'
      • Informatica cloud login, logout and connection update url
      • list of Informatica Cloud S3 connection Id's to update with new access/secret key
      • aws kmskey for security

         You needs to run the 'kms encrypt' cli command to generate 'passwd.encrypt' file in same path that of 'keyFresh.sh' script.

              aws kms encrypt --key-id <kms keyID> --plaintext "<Informatica cloud password>" --output text --query CiphertextBlob | base64 --decode >passwd.encrypt

          You can fetch the Informatica S3 connection Id by browsing the connection view from Informatica Cloud Administrator screen as shown in the below screenshot. More than one connectionId can be separated by comma, when configuring in 'env' property file.

    s3_screenshot

     

    'keyFresh' function

    the script executes action in the following order:

      1. lists the IAM access/secret available for current user. Assumes that user has 1 active key. If you have more than 1 active key please inactive other (non-used) key. else default AWS key pair threshold (2 nos) would cause failure.
      2. the inactive key is deleted and the active key is Inactived. New key pair is generated.
      3. logs into Informatica Cloud and updates the Connections, provided in the 'env' file with new key pair.
      4. log's out of Informatica Cloud.

     

    Assumptions:

      •   the script is tested for AMI instance
      •   it is assumed that the unix instance has tagged 'IAM Role'. If you are using key based authentication for aws-cli, you might need to add 'aws configure' command in the start of the script.
      •   the user/role running this script should have access to the KMS key and requires the privilege/policie to create new accessKey or update/delete existing access key
      •   this is a developer script, there is no support statement from Informatica on this. Users are encouraged to adopt and expand on top of existing script. Users are also recommended to upload and share the modified script with required comments, for use.