Get all keys from an AWS account and send an email if a key is getting old
An example environment variable file:
AWS_ACCESS_KEY_ID=AKIAXXXXX
AWS_SECRET_ACCESS_KEY=XXXXX
SENDGRID_API_KEY=XXXXX
DAYS_WARN=80
DAYS_ERROR=90
EMAIL_TO=XXXXX
EMAIL_FROM=XXXXX
EMAIL_REPLY_TO=XXXXX
The AWS ID (yes this service does audit its own key)
The AWS secret
API Key for Sendgrid
The number of days a key can live before marked as needing to be deleted soon
The number of days a key can live before marked as needing to be deleted
The email address to send the email to
The email address the email is sent as
The email address to reply to (helpful when clicking REPLY ALL)
The application is (currently) deployed to the us-east1 Kubernetes cluster and is done manually for now.
The secrets and cronjob configuration can be found in the kube repo at: <kube repo root>/us-east1.buffer-k8s.com/internal/aws-key-auditor
NOTE: all scripts are run in the aws-key-auditor directory in the kube repo.
First make sure the secret containing the .env file is created
./create-secret.shApply the cronjob deployment to kuberenetes
kubectl apply -f cronjob.yamlMake changes to code, commit and push
Get the latest git hash
git rev-parse HEADPublish with the latest git hash as the version
./publish.sh <the git hash>
Update version in the kube repo
cd <kube repo root>/us-east1.buffer-k8s.com/internal/aws-key-auditor
edit cronjob.yamlUpdate the image version
image: bufferapp/aws-key-auditor:<the git hash>
Deploy the version
kubectl apply -f cronjob.yamlOpen the environment variables in the kube repo
cd <kube repo root>/us-east1.buffer-k8s.com/internal/aws-key-auditor
edit envchange the environment variables
Update the environment variables secret
./create-secret.sh