Automatic key roation about aws-vault HOT 19 CLOSED

Key rotation on add makes a lot of sense, and we should absolutely document this feature in the README.

How about a first step of a warning message if a key is older than 30days? I'm bit concerned that automatic rotation might run into permissions issues.

from aws-vault.

A message on use of aws-vault telling the user that their key is old is a great idea. 30 days seems reasonable, especially when the rotation is so easy to do.

from aws-vault.

I agree key rotation is good. I'm concerned regarding the user experience, though.

Automatically rotating existing keys would probably end badly; there'll be people out there with keys in aws-vault which are also used in production or by other people. Nagging about key age would be a bad experience for the many people that would just ignore the warning forever. I'm also wondering how we know how old a key is. An extra IAM API call before every aws-vault operation? Track it locally and hope it doesn't get out of sync with reality?

As you mention @damonmaria, rotating after initially adding the key is the most critical time; it's been in a web browser / email / Slack / clipboard etc. Since aws-vault add is already a series of interactive prompts, perhaps adding a question there would be the most useful and least breaking-change way forwards:

$ aws-vault add acme-admin
Enter Access Key ID: AKIAIOSFODNN7EXAMPLE
Enter Secret Access Key: bar
Rotate key? (y/N): y

Key rotation: created AKIAIOSFODNN7ROTATED, deleted AKIAIOSFODNN7EXAMPLE.
To rotate key in future, run `aws-vault rotate acme-admin`

Added credentials to profile "acme-admin" in vault

Going beyond that, instead of "Rotate key?" the question could be "Periodically rotate key?" or "Days between automatic key rotation?" but I think that starts getting more complicated; storing the answer per profile, tracking key age, figuring out where to slip the auto rotation into the various aws-vault commands...

from aws-vault.

I think I agree with @pda. Documenting it in the README and promoting it as best practice is the best first step. Including it in the setup/onboarding both for the important initial rotation and to aid education is a good next one.

After those two steps the risk/reward on building rotation warnings becomes less clear cut. It might be worth deferring a decision on the rotation logic.

from aws-vault.

I agree with @pda and @joho on this. Either auto-rotation or being bugged with a message to rotate should be opt-in. I suggested daily auto rotation for all keys because it would be easier to implement, but while it would be useful to me it would probably be a bit niche.

Adding a question and more info when enrolling a key is a fine place as it's fairly rare process. I like the example console from @pda above but would suggest explaining that rotation only works if this is in the only place the key is being stored / used. And maybe that warning should come with aws-vault rotate as well?

A nice step further during enrollment would be to offer for the user to specify a time period to be bugged about rotation (or not at all). But I understand the reluctance due to the required implementation hurdles there.

from aws-vault.

I think there is potentially a middle ground. What if we prompted the user during add whether they'd like to rotate, and then whether they wanted to automatically rotate it in future? That way we know the key comes with permissions for IAM and that it's one they don't mind rotating.

$ aws-vault add acme-admin
Enter Access Key ID: AKIAIOSFODNN7EXAMPLE
Enter Secret Access Key: bar
Rotate key? (y/N): y

Key rotation: created AKIAIOSFODNN7ROTATED, deleted AKIAIOSFODNN7EXAMPLE.

Enable automatic key rotation every 24 hours? (y|N): n

To rotate key in future, run `aws-vault rotate acme-admin`

Added credentials to profile "acme-admin" in vault ✅

from aws-vault.

Also would be great to have aws-vault rotate --all be a thing.

from aws-vault.

@pda btw, that approach would also let us store some metadata in the keychain, so it wouldn't require AWS queries to determine if the key was older.

from aws-vault.

Hi guys,

I installed your tool and I'm playing a bit with it. I have a couple of questions:

• Is the schedule key rotation available now? I've tried to add a new profile and it doesn't ask me to schedule the key rotation every 24 hours or to add a custom time to rotate the keys automatically.

• I've tried to rotate the key manually and it works but why is it not updating the aws credentials file? If it doesn't update that file, it means that I've to do it manually every time otherwise I can't use the aws cli or some aws services which requires the new keys.

Thanks in advance for your help!

from aws-vault.

@zar777 there should be no credentials in any file
that's the all point of aws-vault, is to have it in an encrypted store, not as clear text.

you are missunderstanding how to use this tool

from aws-vault.

@zar777 there should be no credentials in any file
that's the all point of aws-vault, is to have it in an encrypted store, not as clear text.

you are missunderstanding how to use this tool

Ok, thanks for your quick reply.

Anyway, my two questions are still valid(I'm gonna modify my second question, given your answer):

• Is the schedule key rotation available now? I've tried to add a new profile and it doesn't ask me to schedule the key rotation every 24 hours or to add a custom time to rotate the keys automatically.

• How the aws cli or other aws services which point to the **credentials ** file can read the encrypted stored keys from the AWS-VAULT?

Thanks a lot.

from aws-vault.

@zar777 aws-vault exec PROFILE -- aws-cli WHATEVER

from aws-vault.

Thanks a lot @FernandoMiguel ! Do you know if the automatic keys rotation is available now?

from aws-vault.

@zar777 i have no idea... just reading the ticket, just like you

from aws-vault.

Thanks a lot @FernandoMiguel ! Really kind!

from aws-vault.

@zar777 Automatic key rotation would not be possible unless aws-vault runs as a service or it checks whenever the aws-vault commands are executed and then auto-rotates. Currently it's not available.

from aws-vault.

Thanks @frezbo !

from aws-vault.

Any reference to Automatic rotation is making a pretty significant assumption that (a) the user has the appropriate IAM permissions to allow this, and (b) the user has control over their IAM permissions. These are not guaranteed, and cannot be assumed.

from aws-vault.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from aws-vault.