@economist/aws-key-rotator
Advanced tools
aws-key-rotator provides functionality for rotating AWS Access Keys with user-defined handling for propagating a newly created key. This allows easier automation of key rotation for required services.
A typical usage example is automatically updating the Access Keys for a project's CI/CD service.
The key rotation performed by aws-key-rotator follows the below steps:
If any of the above steps fail then the KeyRotator will perform some clean-up as described in Error Handling.
iam:ListAccessKeys
iam:DeleteAccessKey
iam:CreateAccessKey
iam:UpdateAccessKey
aws-key-rotator as a dependency in your package.json file.
npm install @economist/aws-key-rotator
import { KeyRotator, NewKeyHandler } from "@economist/aws-key-rotator";
const iam = new IAM();
const newKeyHandler = (key: AccessKey) => { /* your code here */ };
const keyRotator = new KeyRotator(iam, newKeyHandler);
keyRotator.rotateKeys("YourUser")
.then(() => { /* your 'on success' code here */ })
.catch((err) => { /* your 'on failure' code here */ });
If any error occurs as part of the call to the rotateKeys method then the KeyRotator will cease processing, perform some clean-up and return the error to the caller in the form of a rejected Promise containing the error.
Any errors that occur after the user's existing key(s) have been retrieved will trigger a clean-up stage that attempts to delete any inactive keys from the list of existing keys and then performs a re-run of the core rotation steps. AWS restricts users to having at most 2 Access Keys at any one time, therefore rotation will fail if 2 keys are present as a new key cannot be created. Deleting inactive keys ensures that the KeyRotator can "self-heal" from this state and should allow it to successfully rotate the keys on the re-run.
Additionally, if the user-defined NewKeyHandler function returns a rejected Promise, indicating that the required handling failed, then the KeyRotator will delete the newly created Access Key ensuring that the user is not left with an unusable, active Access Key.
This ensures that any errors that occur during key rotation will not result in the user's access keys being left in a bad state (e.g. no active keys, 2 different active keys, etc.).
The KeyRotator class handles the bulk of the key rotation functionality. It exposes a single method to rotate the keys for a given user which is described below.
constructor(iam: IAM, newKeyHandler: NewKeyHandler)
iam - an instance of an IAM object from the aws-sdk library. Used to provide access to a user's AWS Access Keys.
newKeyHandler - the function for handling the new key once it is created. If the handling is not successful then the KeyRotator will automatically delete the newly created key.
rotateKeys(user: string): Promise<void>
Rotates the access keys for a given user by creating a new key, propagating it as required through the NewKeyHandler and then deleting the old key(s).
user - the name of the IAM User to rotate the access keys for.
A Promise the resolves with no data if the key rotation was successful and rejects with an error if it was not.
An interface for defining a custom function that handles the newly created Access Key as required.
(newKey: AccessKey) => Promise<void>
newKey - an instance of an AccessKey object from the aws-sdk library that is returned as part of the createNewAccessKey method.
A Promise the resolves with no data if the new key handling was successful and rejects with an error if it was not.
[1.1.0] - 2019-01-07
FAQs
AWS Access Key Rotation
The npm package @economist/aws-key-rotator receives a total of 10 weekly downloads. As such, @economist/aws-key-rotator popularity was classified as not popular.
We found that @economist/aws-key-rotator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 24 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.