// reset the password for a user in aws // assign temporary credentials and force password change // send it an email func (r *run) resetIamUser(uid string) { var ( accesskey string cako *iam.CreateAccessKeyOutput glpo *iam.GetLoginProfileOutput ulpo *iam.UpdateLoginProfileOutput clpo *iam.CreateLoginProfileOutput lako *iam.ListAccessKeysOutput dako *iam.DeleteAccessKeyOutput err error ) password := "******" + randToken() + "%" body := fmt.Sprintf(`Updated AWS account: login: %s pass: %s (change at first login) url: https://%s.signin.aws.amazon.com/console`, uid, password, r.p.AccountName) if !r.Conf.ApplyChanges { log.Printf("[dryrun] aws %q: would have reset AWS IAM user %q with password %q", r.p.AccountName, uid, password) // notify the user, do not apply r.notify(uid, body) return } glpo, err = r.iam.GetLoginProfile(&iam.GetLoginProfileInput{ UserName: aws.String(uid), }) if err != nil { log.Printf("[error] aws %q: failed to create login profile for user %q: %v", r.p.AccountName, uid, err) return } if glpo == nil { clpo, err = r.iam.CreateLoginProfile(&iam.CreateLoginProfileInput{ Password: aws.String(password), UserName: aws.String(uid), PasswordResetRequired: aws.Bool(true), }) if err != nil || clpo == nil { log.Printf("[error] aws %q: failed to create login profile for user %q: %v", r.p.AccountName, uid, err) return } } else { ulpo, err = r.iam.UpdateLoginProfile(&iam.UpdateLoginProfileInput{ Password: aws.String(password), UserName: aws.String(uid), PasswordResetRequired: aws.Bool(true), }) if err != nil || ulpo == nil { log.Printf("[error] aws %q: failed to update login profile for user %q: %v", r.p.AccountName, uid, err) return } } lako, err = r.iam.ListAccessKeys(&iam.ListAccessKeysInput{ UserName: aws.String(uid), }) if err != nil || lako == nil { log.Printf("[error] aws %q: failed to list access keys for user %q: %v", r.p.AccountName, uid, err) return } // delete all access keys associated with the user for _, key := range lako.AccessKeyMetadata { daki := iam.DeleteAccessKeyInput{ AccessKeyId: key.AccessKeyId, UserName: aws.String(uid), } dako, err = r.iam.DeleteAccessKey(&daki) if err != nil || dako == nil { log.Printf("[error] aws %q: failed to delete access key %q of user %q: %v. request was %q.", r.p.AccountName, *key.AccessKeyId, uid, err, daki.String()) } else { r.debug("aws %q: deleted access key %q of user %q", r.p.AccountName, *key.AccessKeyId, uid) } } if r.p.CreateAccessKey { cako, err = r.iam.CreateAccessKey(&iam.CreateAccessKeyInput{ UserName: aws.String(uid), }) if err != nil || cako == nil { log.Printf("[error] aws %q: failed to create access key for user %q: %v", r.p.AccountName, uid, err) return } accesskey = fmt.Sprintf(` A new access key has been created for you. Add the lines below to ~/.aws/credentials [%s] aws_access_key_id = %s aws_secret_access_key = %s`, r.p.AccountName, *cako.AccessKey.AccessKeyId, *cako.AccessKey.SecretAccessKey) } // notify the user r.notify(uid, strings.Join([]string{body, accesskey}, "\n")) }
func (r *run) removeIamUser(uid string) { var ( err error lgfu *iam.ListGroupsForUserOutput dlpo *iam.DeleteLoginProfileOutput duo *iam.DeleteUserOutput dako *iam.DeleteAccessKeyOutput rufg *iam.RemoveUserFromGroupOutput ) if !r.Conf.ApplyChanges { log.Printf("[dryrun] aws %q: would have deleted AWS IAM user %q", r.p.AccountName, uid) return } // remove all user's access keys lakfu, err := r.iam.ListAccessKeys(&iam.ListAccessKeysInput{ UserName: aws.String(uid), }) if err != nil || lakfu == nil { log.Printf("[error] aws %q: failed to list access keys for user %q: %v", r.p.AccountName, uid, err) return } for _, accesskey := range lakfu.AccessKeyMetadata { keyid := strings.Replace(awsutil.Prettify(accesskey.AccessKeyId), `"`, ``, -1) if !r.Conf.ApplyChanges { r.debug("[dryrun] aws %q: would have removed access key id %q of user %q", r.p.AccountName, keyid, uid) continue } daki := iam.DeleteAccessKeyInput{ AccessKeyId: accesskey.AccessKeyId, UserName: aws.String(uid), } dako, err = r.iam.DeleteAccessKey(&daki) if err != nil || dako == nil { log.Printf("[error] aws %q: failed to delete access key %q of user %q: %v. request was %q.", r.p.AccountName, keyid, uid, err, daki.String()) } else { r.debug("aws %q: deleted access key %q of user %q", r.p.AccountName, keyid, uid) } } // remove the user from all IAM groups lgfu, err = r.iam.ListGroupsForUser(&iam.ListGroupsForUserInput{ UserName: aws.String(uid), }) if err != nil || lgfu == nil { log.Printf("[error] aws %q: failed to list groups for user %q: %v", r.p.AccountName, uid, err) return } // iterate through the groups and find the missing ones for _, iamgroup := range lgfu.Groups { gname := strings.Replace(awsutil.Prettify(iamgroup.GroupName), `"`, ``, -1) rufgi := &iam.RemoveUserFromGroupInput{ GroupName: iamgroup.GroupName, UserName: aws.String(uid), } rufg, err = r.iam.RemoveUserFromGroup(rufgi) if err != nil || rufg == nil { log.Printf("[error] aws %q: failed to remove user %q from group %q: %v. request was %q.", r.p.AccountName, uid, gname, err, rufgi.String()) } else { r.debug("aws %q: removed user %q from group %q", r.p.AccountName, uid, gname) } } dlpo, err = r.iam.DeleteLoginProfile(&iam.DeleteLoginProfileInput{ UserName: aws.String(uid), }) if err != nil || dlpo == nil { r.debug("aws %q: user %q did not have an aws login profile to delete", r.p.AccountName, uid) } duo, err = r.iam.DeleteUser(&iam.DeleteUserInput{ UserName: aws.String(uid), }) if err != nil || duo == nil { log.Printf("[error] aws %q: failed to delete aws user %q: %v", r.p.AccountName, uid, err) return } log.Printf("[info] aws %q: deleted user %q", r.p.AccountName, uid) }