Keep your AWS Credentials fresh 🍊 on Windows, Mac, Linux (arm or x86)!
Programmatically rotate your AWS IAM access keys and secret. Helpful for automatically ensuring compliance with organization key rotation policies.
Detects your current credential chain and attempts to match it to a credentials file.
If successful, creates remote keys and deletes the old ones, updating your credentials file.
This program fails safe: It will not delete any keys until is has successfully created new ones. Thus, you may need to delete old keys in the console before first using it so that there is a free slot for your new key to be created in.
Schedule itself. Use other tools for that.
Download the latest release,
for your OS and architecture, and either put it in your PATH or somewhere your
scheduler can access both it and your ~/.aws/credentials file. There are no
options and no output for a successful key rotation, but a failure will print
information about the error and exit with a non-zero exit code.
roll-it is also available through a homebrew/linuxbrew tap, however bottling
is limited, so you may need to --build-from-source on installation (which
is painless (thanks Go!) but takes a bit longer).
$ brew tap pckilgore/roll-it
$ brew install roll-it # optionally --build-from-source if no bottle- Auditability:
- No dependencies outside Go standard library and official AWS SDKs. Your associate engineers should be able to determine this program is safe to handle your organization's sensitive credentials.
- Respectful and Safe:
- It should always fail-safe, and try to never leave the user without valid credentials, even if that means console intervention is neccessary for it to begin (or continue) to work.
- Sane defaults:
- It should work out of the box for standard setups, and should not be extended to support exotic setups.
- Cross-Platform:
- Make no assumptions about operating system or scheduler.
- Small & Fast:
- You should never notice it running.
- User Facing:
- Not designed—and should not be used—to rotate server or service keys.
You need to use some other program to schedule execution.
For example, in a user crontab on Apple/Linux, extract the binary to somewhere, and add an entry to your user crontab referencing the executable:
$ crontab -e # Edit to add...
$ crontab -l # Show what was added
50 9 * * 1-5 ~/bin/rollitThat example runs rollit Mon-Fri at 9:50 AM (assuming rollit executable copied
to $HOME/bin).
For more ideas, please use the wiki
(c) 2021 Patrick Kilgore
See LICENSE