Beispiel #1
0
// reset the password for a user in aws
// assign temporary credentials and force password change
// send it an email
func (r *run) resetIamUser(uid string) {
	var (
		accesskey string
		cako      *iam.CreateAccessKeyOutput
		glpo      *iam.GetLoginProfileOutput
		ulpo      *iam.UpdateLoginProfileOutput
		clpo      *iam.CreateLoginProfileOutput
		lako      *iam.ListAccessKeysOutput
		dako      *iam.DeleteAccessKeyOutput
		err       error
	)

	password := "******" + randToken() + "%"
	body := fmt.Sprintf(`Updated AWS account:
login: %s
pass:  %s (change at first login)
url:   https://%s.signin.aws.amazon.com/console`, uid, password, r.p.AccountName)

	if !r.Conf.ApplyChanges {
		log.Printf("[dryrun] aws %q: would have reset AWS IAM user %q with password %q",
			r.p.AccountName, uid, password)
		// notify the user, do not apply
		r.notify(uid, body)
		return
	}
	glpo, err = r.iam.GetLoginProfile(&iam.GetLoginProfileInput{
		UserName: aws.String(uid),
	})
	if err != nil {
		log.Printf("[error] aws %q: failed to create login profile for user %q: %v",
			r.p.AccountName, uid, err)
		return
	}
	if glpo == nil {
		clpo, err = r.iam.CreateLoginProfile(&iam.CreateLoginProfileInput{
			Password:              aws.String(password),
			UserName:              aws.String(uid),
			PasswordResetRequired: aws.Bool(true),
		})
		if err != nil || clpo == nil {
			log.Printf("[error] aws %q: failed to create login profile for user %q: %v",
				r.p.AccountName, uid, err)
			return
		}
	} else {
		ulpo, err = r.iam.UpdateLoginProfile(&iam.UpdateLoginProfileInput{
			Password:              aws.String(password),
			UserName:              aws.String(uid),
			PasswordResetRequired: aws.Bool(true),
		})
		if err != nil || ulpo == nil {
			log.Printf("[error] aws %q: failed to update login profile for user %q: %v",
				r.p.AccountName, uid, err)
			return
		}
	}
	lako, err = r.iam.ListAccessKeys(&iam.ListAccessKeysInput{
		UserName: aws.String(uid),
	})
	if err != nil || lako == nil {
		log.Printf("[error] aws %q: failed to list access keys for user %q: %v",
			r.p.AccountName, uid, err)
		return
	}
	// delete all access keys associated with the user
	for _, key := range lako.AccessKeyMetadata {
		daki := iam.DeleteAccessKeyInput{
			AccessKeyId: key.AccessKeyId,
			UserName:    aws.String(uid),
		}
		dako, err = r.iam.DeleteAccessKey(&daki)
		if err != nil || dako == nil {
			log.Printf("[error] aws %q: failed to delete access key %q of user %q: %v. request was %q.",
				r.p.AccountName, *key.AccessKeyId, uid, err, daki.String())
		} else {
			r.debug("aws %q: deleted access key %q of user %q",
				r.p.AccountName, *key.AccessKeyId, uid)
		}
	}
	if r.p.CreateAccessKey {
		cako, err = r.iam.CreateAccessKey(&iam.CreateAccessKeyInput{
			UserName: aws.String(uid),
		})
		if err != nil || cako == nil {
			log.Printf("[error] aws %q: failed to create access key for user %q: %v",
				r.p.AccountName, uid, err)
			return
		}
		accesskey = fmt.Sprintf(`
A new access key has been created for you.
Add the lines below to ~/.aws/credentials
[%s]
aws_access_key_id = %s
aws_secret_access_key = %s`,
			r.p.AccountName,
			*cako.AccessKey.AccessKeyId,
			*cako.AccessKey.SecretAccessKey)
	}
	// notify the user
	r.notify(uid, strings.Join([]string{body, accesskey}, "\n"))
}
Beispiel #2
0
func (r *run) removeIamUser(uid string) {
	var (
		err  error
		lgfu *iam.ListGroupsForUserOutput
		dlpo *iam.DeleteLoginProfileOutput
		duo  *iam.DeleteUserOutput
		dako *iam.DeleteAccessKeyOutput
		rufg *iam.RemoveUserFromGroupOutput
	)
	if !r.Conf.ApplyChanges {
		log.Printf("[dryrun] aws %q: would have deleted AWS IAM user %q",
			r.p.AccountName, uid)
		return
	}

	// remove all user's access keys
	lakfu, err := r.iam.ListAccessKeys(&iam.ListAccessKeysInput{
		UserName: aws.String(uid),
	})
	if err != nil || lakfu == nil {
		log.Printf("[error] aws %q: failed to list access keys for user %q: %v",
			r.p.AccountName, uid, err)
		return
	}
	for _, accesskey := range lakfu.AccessKeyMetadata {
		keyid := strings.Replace(awsutil.Prettify(accesskey.AccessKeyId), `"`, ``, -1)
		if !r.Conf.ApplyChanges {
			r.debug("[dryrun] aws %q: would have removed access key id %q of user %q",
				r.p.AccountName, keyid, uid)
			continue
		}
		daki := iam.DeleteAccessKeyInput{
			AccessKeyId: accesskey.AccessKeyId,
			UserName:    aws.String(uid),
		}
		dako, err = r.iam.DeleteAccessKey(&daki)
		if err != nil || dako == nil {
			log.Printf("[error] aws %q: failed to delete access key %q of user %q: %v. request was %q.",
				r.p.AccountName, keyid, uid, err, daki.String())
		} else {
			r.debug("aws %q: deleted access key %q of user %q",
				r.p.AccountName, keyid, uid)
		}

	}
	// remove the user from all IAM groups
	lgfu, err = r.iam.ListGroupsForUser(&iam.ListGroupsForUserInput{
		UserName: aws.String(uid),
	})
	if err != nil || lgfu == nil {
		log.Printf("[error] aws %q: failed to list groups for user %q: %v",
			r.p.AccountName, uid, err)
		return
	}
	// iterate through the groups and find the missing ones
	for _, iamgroup := range lgfu.Groups {
		gname := strings.Replace(awsutil.Prettify(iamgroup.GroupName), `"`, ``, -1)
		rufgi := &iam.RemoveUserFromGroupInput{
			GroupName: iamgroup.GroupName,
			UserName:  aws.String(uid),
		}
		rufg, err = r.iam.RemoveUserFromGroup(rufgi)
		if err != nil || rufg == nil {
			log.Printf("[error] aws %q: failed to remove user %q from group %q: %v. request was %q.",
				r.p.AccountName, uid, gname, err, rufgi.String())
		} else {
			r.debug("aws %q: removed user %q from group %q",
				r.p.AccountName, uid, gname)
		}
	}
	dlpo, err = r.iam.DeleteLoginProfile(&iam.DeleteLoginProfileInput{
		UserName: aws.String(uid),
	})
	if err != nil || dlpo == nil {
		r.debug("aws %q: user %q did not have an aws login profile to delete",
			r.p.AccountName, uid)
	}
	duo, err = r.iam.DeleteUser(&iam.DeleteUserInput{
		UserName: aws.String(uid),
	})
	if err != nil || duo == nil {
		log.Printf("[error] aws %q: failed to delete aws user %q: %v",
			r.p.AccountName, uid, err)
		return
	}
	log.Printf("[info] aws %q: deleted user %q", r.p.AccountName, uid)
}