How do I determine which AWS Access Keys are used for boto3 calls in Python?

0
votes

I'm writing a script to automatically rotate AWS Access Keys on Developer laptops. The script runs in the context of the developer using whichever profile they specify from their ~/.aws/credentials file.

The problem is if they have two API keys associated with their IAM User account, I cannot create a new key pair until I delete an existing one. However, if I delete whichever key the script is using (which is probably from the ~/.aws/credentials file, but might be from Environment variables of session tokens or something), the script won't be able to create a new key. Is there a way to determine what AWS Access Key ID is being used to sign boto3 API calls within python?

My fall back is to parse the ~/.aws/credentials file, but I'd rather a more robust solution.

1
python-3.xamazon-web-servicesboto3amazon-iam

1 Answers

3
votes

Create a default boto3 session and retrieve the credentials:

print(boto3.Session().get_credentials().access_key)

That said, I'm not necessarily a big fan of the approach that you are proposing. Both keys might legitimately be in use. I would prefer a strategy that notified users of multiple keys, asked them to validate their usage, and suggest they deactivate or delete keys that are no longer in use.

You can also use IAM's get_access_key_last_used() to retrieve information about when the specified access key was last used.

Maybe it would be reasonable to delete keys that are a) inactive and b) haven't been used in N days, but I think that's still a stretch and would require careful handling and awareness among your users.

The real solution here is to move your users to federated access and 100% use of IAM roles. Thus no long-term credentials anywhere. I think this should be the ultimate goal of all AWS users.