AWS stack for rotating AWS Access keys used by CircleCI. The stack stores Jobs representing IAM Users to rotate keys for and does a batch rotation of all the users it holds a job for.
- An AWS IAM User set up to represent CircleCI.
- Node.js installed.
- A CircleCI API token.
-
Clone the repository
git clone https://github.com/EconomistDigitalSolutions/circleci-aws-key-rotator.git
or
git clone [email protected]:EconomistDigitalSolutions/circleci-aws-key-rotator.git
-
Install dependencies
npm install
-
Deploy
npm run deploy -- [--profile <value>] [--region <value>]
This will deploy a Lambda which runs once per day at 04:00am to the AWS account specified by the profile.
profile
Optional; default = 'default'
The AWS profile to deploy on.
region
Optional; default = 'us-east-1'
The AWS Region to deploy the Lambda on.
Jobs are stored by the stack as JSON objects matching the below schema:
{
"user": string,
"vcsProvider": string,
"vcsUser": string,
"project": string,
"apiToken": string,
"accessKeyName": string?,
"secretKeyName": string?
}user
The IAM User to rotate the Access Keys for.
vcsProvider
The version control provider. Currently CircleCI supports github or bitbucket.
vcsUser
The name of the version control system user.
project
The name of the project, i.e. the repository name.
apiToken
The API token for accessing the CircleCI API. CircleCI API keys can be created here.
accessKeyName (Optional)
The name to use for the environment variable that stores the Access Key value on CircleCI.
secretKeyName (Optional)
The name to use for the environment variable that stores the Secret Key value on CircleCI.
Method: GET
Path: /jobs
Gets the list of jobs currently stored by the stack.
Method: POST
Path: /jobs
Data: Valid Job JSON
Adds a new job to the stack. The job should be included as the data on the request.
The API can be triggered through the AWS console.
- Navigate to
API Gatwayin the AWS console. - Navigate to the
circleci-key-rotatorAPI. - Click on the method that you wish to trigger (e.g.
/jobs/GET). - Click
Teston the Method Execution screen. - If the endpoint requires parameters (i.e. POSTing to /jobs) add those to
Request Body. - Click the
Testbutton on the Method Test screen.
Prerequisites:
- An API Gateway API key. This can be retrieved through the console (see here).
- The API endpoint url e.g. https://123456.execute-api.eu-west-2.amazonaws.com/stage1/jobs/. This can be retrieved through the API dashboard in the console.
export API_KEY=some_long_string
curl -H "x-api-key: $API_KEY" https://123456.execute-api.eu-west-2.amazonaws.com/stage1/jobs/- Make the timer configurable. (How? Raw cron syntax as a string param seems likely to be buggy.)