initial commit

Author: kneemaa

Dockerfile

@@ -0,0 +1,10 @@
+FROM python:3.8
+
+WORKDIR /app
+
+COPY requirements.txt .
+COPY rotate_keys.py .
+
+RUN pip3 install -r requirements.txt
+
+CMD [ "python", "/app/rotate_keys.py" ]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Abi Noda
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,93 @@
+# Rotate AWS Access token stored in Github Repository secrets
+
+## Environment Variables
+#### AWS_ACCESS_KEY_ID
+- Required: ***True***
+- Description: Access Key ID of the user being rotated. You can use `${{secrets.ACCESS_KEY_ID}}`
+
+#### AWS_SECRET_ACCESS_KEY
+- Required: ***True***
+- Description: Secret Access Key ID of the user being rotated. You can use `${{secrets.SECRET_ACCESS_KEY_ID}}`
+
+#### IAM_USERNAME
+- Required: ***True***
+- Description: Name of IAM user being rotated
+
+#### GITHUB_TOKEN
+- Required: ***True***
+- Description: Github Token with **Repo Admin** access of the target repo. If being ran in the repo being updated, you can use `${{github.token}}`
+
+#### OWNER_REPOSITORY
+- Required: ***True***
+- Description: The owner and repository name. For example, octocat/Hello-World. If being ran in the repo being updated, you can use `${{github.repository}}`
+
+#### GITHUB_ACCESS_KEY_NAME
+- Required: ***False***
+- Default: `access_key_id`
+- Description: Name of the secret for the Access Key ID. Setting this overrides the default.
+
+#### GITHUB_SECRET_KEY_NAME
+- Required: ***False***
+- Default: `secret_key_id`
+- Description: Name of the secret for the Secret Access Key ID. Setting this overrides the default.
+
+# Example
+## Rotation every monday at 13:00 UTC
+```
+on:
+  schedule:
+    - cron: '* 13 * * 1' 
+
+jobs:
+  rotate:
+    name: rotate iam user keys
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: rotate aws keys
+        uses: kneemaa/[email protected]
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
+          IAM_USERNAME: 'iam-user-name'
+          GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          OWNER_REPOSITORY: ${{ github.repository }}
+```
+
+## Adding Slack notification on failure only
+```
+on:
+  schedule:
+    - cron: '* 13 * * 1'
+
+jobs:
+  rotate:
+    name: rotate iam user keys
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: rotate aws keys
+        uses: kneemaa/[email protected]
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
+          IAM_USERNAME: 'iam-user-name'
+          GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          OWNER_REPOSITORY: ${{ github.repository }}
+
+      - name: Send Slack Status
+        if: failure()
+        uses: 8398a7/[email protected]
+        with:
+          status: ${{job.status}}
+          author_name: kneema-aws-rotation-action
+          username: kneema-rotation-bot
+          text: Rotating the token had a status of ${{ job.status }}
+          channel: alerts-test
+        env:
+          SLACK_WEBHOOK_URL: https://hooks.slack.com/services/.../...
+```
+## License
+The Dockerfile and associated scripts and documentation in this project are released under the [MIT License](LICENSE).

action.yml

@@ -0,0 +1,9 @@
+name: 'Rotate AWS Access Keys'
+author: 'Nema Darban <[email protected]>'
+description: Github action that rotates the iam user tokens on a schedule
+runs:
+    using: 'docker'
+    image: 'Dockerfile'
+branding:
+    icon: 'check-circle'
+    color: 'blue'

requirements.txt

@@ -0,0 +1,3 @@
+pynacl
+boto3
+requests

rotate_keys.py

@@ -0,0 +1,129 @@
+import boto3, requests, json, sys, os
+from base64 import b64encode
+from nacl import encoding, public
+
+access_key_name = os.getenv('GITHUB_ACCESS_KEY_NAME', "access_key_id")
+secret_key_name = os.getenv('GITHUB_SECRET_KEY_NAME', "secret_key_id")
+
+# sets creds for boto3
+iam = boto3.client(
+    'iam',
+    aws_access_key_id = os.environ['AWS_ACCESS_KEY_ID'],
+    aws_secret_access_key = os.environ['AWS_SECRET_ACCESS_KEY']
+)
+
+def main_function():
+    iam_username = os.environ['IAM_USERNAME']
+    github_token = os.environ['GITHUB_TOKEN']
+    owner_repository = os.environ['OWNER_REPOSITORY']
+    
+    list_ret = iam.list_access_keys(UserName=iam_username)
+    starting_num_keys = len(list_ret["AccessKeyMetadata"])
+
+    # save current id for deletion later
+    current_access_id = list_ret["AccessKeyMetadata"][0]["AccessKeyId"]
+
+    # Check if two keys already exist, if so, exit 1
+    if starting_num_keys != 1:
+        print("There are already 2 keys for this user, Cannot rotate tokens")
+        sys.exit(1)
+    else:
+        print(f"I have {starting_num_keys} token, proceeding.")
+
+    #generate new credentials
+    (new_access_key, new_secret_key) = create_new_keys(iam_username)
+
+    #delete old keys
+    delete_old_keys(iam_username, current_access_id)
+
+    #get repo pub key info
+    (public_key, pub_key_id) = get_pub_key(owner_repository, github_token)
+
+    #encrypt the secrets
+    encrypted_access_key = encrypt(public_key,new_access_key)
+    encrypted_secret_key = encrypt(public_key,new_secret_key)
+
+    #upload secrets
+    upload_secret(owner_repository,access_key_name,encrypted_access_key,pub_key_id,github_token)
+    upload_secret(owner_repository,secret_key_name,encrypted_secret_key,pub_key_id,github_token)
+
+    sys.exit(0)
+
+def create_new_keys(iam_username):
+    # create the keys
+    create_ret = iam.create_access_key(
+            UserName=iam_username
+        )
+
+    new_access_key = create_ret['AccessKey']['AccessKeyId']
+    new_secret_key = create_ret['AccessKey']['SecretAccessKey']
+
+    # check to see if the keys were created
+    second_list_ret = iam.list_access_keys(UserName=iam_username)
+    second_num_keys = len(second_list_ret["AccessKeyMetadata"])
+
+    if second_num_keys != 2:
+        print("new keys failed to generate.")
+        sys.exit(1)
+    else:
+        print("new keys generated, proceeding")
+        return (new_access_key,new_secret_key)
+
+def delete_old_keys(iam_username,current_access_id):
+    delete_ret = iam.delete_access_key(
+            UserName=iam_username,
+            AccessKeyId=current_access_id
+        )
+
+    if delete_ret['ResponseMetadata']['HTTPStatusCode'] != 200:
+        print("deletion of original key failed")
+        sys.exit(1)
+        
+## Update Actions Secret
+# https://developer.github.com/v3/actions/secrets/#create-or-update-a-secret-for-a-repository
+def encrypt(public_key: str, secret_value: str) -> str:
+    """Encrypt a Unicode string using the public key."""
+    public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
+    sealed_box = public.SealedBox(public_key)
+    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
+    return b64encode(encrypted).decode("utf-8")
+
+def get_pub_key(owner_repo, github_token):
+    # get public key for encrypting
+    pub_key_ret = requests.get(
+        f'https://api.github.com/repos/{owner_repo}/actions/secrets/public-key',
+        headers={'Authorization': f"token {github_token}"}
+    )
+
+    if not pub_key_ret.status_code == requests.codes.ok:
+        raise Exception(f"github public key request failed, status code: {pub_key_ret.status_code}, body: {pub_key_ret.text}, vars: {owner_repo} {github_token}")
+        sys.exit(1)
+
+    #convert to json
+    public_key_info = pub_key_ret.json()
+
+    #extract values
+    public_key = public_key_info['key']
+    public_key_id = public_key_info['key_id']
+
+    return (public_key, public_key_id)
+
+def upload_secret(owner_repo,key_name,encrypted_value,pub_key_id,github_token):    
+    #upload encrypted access key
+    updated_secret = requests.put(
+        f'https://api.github.com/repos/{owner_repo}/actions/secrets/{key_name}',
+        json={
+            'encrypted_value': encrypted_value,
+            'key_id': pub_key_id
+        },
+        headers={'Authorization': f"token {github_token}"}
+    )
+    # status codes github says are valid
+    good_status_codes = [204,201]
+
+    if updated_secret.status_code not in good_status_codes:
+        print(f'Got status code: {updated_secret.status_code} on updating {key_name}')
+        sys.exit(1)
+
+# run everything
+main_function()