AWS Plugin
Rotate AWS Passwords and Keys
Last updated
Was this helpful?
Rotate AWS Passwords and Keys
Last updated
Was this helpful?
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.
To run a rotation of AWS Keys, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
awskey
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
cmdr:aws_sync_profile
(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file
cmdr:aws_assume_role
AWS Role ARN
(Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:
iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys
After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id
and cmdr:aws_key_secret
.
Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.
cmdr:aws_key_id
generated AWS Access Key ID
cmdr:aws_key_secret
generated AWS Secret Access Key
The 'Password' field is ignored when rotating keys
To run a rotation of AWS passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
awspswd
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
The Password
field of the Keeper record contains a new password to AWS account.
See the section for more information on legacy vs typed records
(Optional)