🚨 Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis →
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@economist/aws-key-rotator

Package Overview
Dependencies
Maintainers
24
Versions
6
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@economist/aws-key-rotator

AWS Access Key Rotation

latest
Source
npmnpm
Version
1.1.1
Version published
Maintainers
24
Created
Source

aws-key-rotator

codecov

Contents

Overview

aws-key-rotator provides functionality for rotating AWS Access Keys with user-defined handling for propagating a newly created key. This allows easier automation of key rotation for required services.

A typical usage example is automatically updating the Access Keys for a project's CI/CD service.

Key Rotation

The key rotation performed by aws-key-rotator follows the below steps:

  • Get all existing keys for an IAM User.
  • Create a new Access Key.
  • Propagate the new Access Key using the custom NewKeyHandler function.
  • Delete all existing keys (except the newly created key).

If any of the above steps fail then the KeyRotator will perform some clean-up as described in Error Handling.

Usage

Pre-Requisites

  • The User(s) that you wish to rotate Access Keys for must be set up in AWS IAM.
  • The User(s) must have at most 1 active Access Key.
  • The code that uses KeyRotator must have IAM permissions to perform the following actions for the required User(s): 
    iam:ListAccessKeys
iam:DeleteAccessKey
iam:CreateAccessKey
iam:UpdateAccessKey

Steps

  • Add aws-key-rotator as a dependency in your package.json file. 
    npm install @economist/aws-key-rotator
  • Add imports in your code as required. 
    import { KeyRotator, NewKeyHandler } from "@economist/aws-key-rotator";
  • Create an instance of an AWS IAM object. 
    const iam = new IAM();
  • Define a custom function which matches the NewKeyHandler interface. Make sure that your function correctly reports any failures to propagate the new key. Failure to do so may result in unusable keys in IAM that will need to be manually removed. 
    const newKeyHandler = (key: AccessKey) => { /* your code here */ };
  • Initialise an instance of the KeyRotator object, passing in your IAM instance and NewKeyHandler. 
    const keyRotator = new KeyRotator(iam, newKeyHandler);
  • Run the key rotation for a given user, adding success and error handling code as required. 
    keyRotator.rotateKeys("YourUser")
    .then(() => { /* your 'on success' code here */ })
    .catch((err) => { /* your 'on failure' code here */ });

Error Handling

If any error occurs as part of the call to the rotateKeys method then the KeyRotator will cease processing, perform some clean-up and return the error to the caller in the form of a rejected Promise containing the error.

Any errors that occur after the user's existing key(s) have been retrieved will trigger a clean-up stage that attempts to delete any inactive keys from the list of existing keys and then performs a re-run of the core rotation steps. AWS restricts users to having at most 2 Access Keys at any one time, therefore rotation will fail if 2 keys are present as a new key cannot be created. Deleting inactive keys ensures that the KeyRotator can "self-heal" from this state and should allow it to successfully rotate the keys on the re-run.

Additionally, if the user-defined NewKeyHandler function returns a rejected Promise, indicating that the required handling failed, then the KeyRotator will delete the newly created Access Key ensuring that the user is not left with an unusable, active Access Key.

This ensures that any errors that occur during key rotation will not result in the user's access keys being left in a bad state (e.g. no active keys, 2 different active keys, etc.).

API

KeyRotator

The KeyRotator class handles the bulk of the key rotation functionality. It exposes a single method to rotate the keys for a given user which is described below.

Constructor

constructor(iam: IAM, newKeyHandler: NewKeyHandler)

Params

iam - an instance of an IAM object from the aws-sdk library. Used to provide access to a user's AWS Access Keys.

newKeyHandler - the function for handling the new key once it is created. If the handling is not successful then the KeyRotator will automatically delete the newly created key.

rotateKeys

rotateKeys(user: string): Promise<void>

Rotates the access keys for a given user by creating a new key, propagating it as required through the NewKeyHandler and then deleting the old key(s).

Params

user - the name of the IAM User to rotate the access keys for.

Returns

A Promise the resolves with no data if the key rotation was successful and rejects with an error if it was not.

NewKeyHandler

An interface for defining a custom function that handles the newly created Access Key as required.

(newKey: AccessKey) => Promise<void>

Params

newKey - an instance of an AccessKey object from the aws-sdk library that is returned as part of the createNewAccessKey method.

Returns

A Promise the resolves with no data if the new key handling was successful and rejects with an error if it was not.

Keywords

aws
key-rotation

FAQs

Package last updated on 18 Feb 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Rust RFC Proposes a Security Tab on crates.io for RustSec Advisories

Security News

Rust RFC Proposes a Security Tab on crates.io for RustSec Advisories

Rust’s crates.io team is advancing an RFC to add a Security tab that surfaces RustSec vulnerability and unsoundness advisories directly on crate pages.

By Sarah Gooding  -  Dec 09, 2025