AWS Plugin
Rotate AWS Passwords and Keys
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
Prerequisites
1. Install AWS CLI package
2. Configure AWS CLI package
Install AWS CLI if necessary
Configure AWS Connection with the AWS CLI
You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.
Prepare Records for Rotation
Create a Record for Rotation
Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Rotation Types
Rotate AWS Keys
To run a rotation of AWS Keys, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
Additional Rotation Options
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined
Label | Value | Comment |
---|---|---|
cmdr:plugin | awskey | (Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command |
cmdr:aws_profile | (Optional) AWS profile to use to login to AWS with | |
cmdr:aws_sync_profile | (Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file | |
cmdr:aws_assume_role | AWS Role ARN | (Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:
|
Output
After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id
and cmdr:aws_key_secret
.
Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.
Label | Value |
---|---|
cmdr:aws_key_id | generated AWS Access Key ID |
cmdr:aws_key_secret | generated AWS Secret Access Key |
The 'Password' field is ignored when rotating keys
Rotate AWS Passwords
To run a rotation of AWS passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
Additional Rotation Options
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
Name | Value | Comment |
---|---|---|
cmdr:plugin | awspswd | (Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command |
cmdr:rules | (Optional) password complexity rules | |
cmdr:aws_profile | (Optional) AWS profile to use to login to AWS with |
Output
The Password
field of the Keeper record contains a new password to AWS account.
Last updated