{"id":13821149,"url":"https://github.com/Signiant/LOCK","last_synced_at":"2025-05-16T12:32:40.564Z","repository":{"id":29862612,"uuid":"122995983","full_name":"Signiant/LOCK","owner":"Signiant","description":"Let's Occasionally Circulate Keys","archived":false,"fork":false,"pushed_at":"2025-04-09T13:29:03.000Z","size":141,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-04-20T11:44:18.445Z","etag":null,"topics":["hacktoberfest"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Signiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-02-26T16:20:08.000Z","updated_at":"2025-04-09T13:29:01.000Z","dependencies_parsed_at":"2025-04-04T17:25:25.591Z","dependency_job_id":"c85381ad-1dbc-433b-86bf-58b00006a4aa","html_url":"https://github.com/Signiant/LOCK","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Signiant%2FLOCK","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Signiant%2FLOCK/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Signiant%2FLOCK/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Signiant%2FLOCK/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Signiant","download_url":"https://codeload.github.com/Signiant/LOCK/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254530532,"owners_count":22086634,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest"],"created_at":"2024-08-04T08:01:16.348Z","updated_at":"2025-05-16T12:32:35.536Z","avatar_url":"https://github.com/Signiant.png","language":"Python","readme":"# LOCK - Let's Occasionally Circulate Keys\n\nFrom Signiant Operations comes LOCK. Lock allows you to change user credentials for AWS using a Python script.\n\n# How It Works\nLOCK has 4 main modes that accept an IAM user as an argument or from a YAML configuration file using `-c`.\n\n- `list`: Show user keys with: Access Key ID, Status, Create Date, Last Used.\n- `rotate`: Rotates the AWS IAM key and update the key at set locations by running functions sequentially under plugins provided by the config file.\n- `validate`: Checks to see if the new key is being used, if it is delete the old key\n- `getnewkey`: Rotate the AWS IAM Key\n\n## Up and Running\n\n- Install Python 3.6 or higher\n- Clone this repository\n- Run `python3 -m venv .env` to create a virtual environment\n- Run `source .env/bin/activate` to activate the virtual environment\n- Run `python3 -m pip install -r project/config/requirements.txt` to install the dependencies\n- Run from LOCK's root folder\n\n#\n## Running LOCK from the Command Line\n\nTo rotate keys from the command line, use `python3` to run the main script.\nthe config.yaml could be retrived from another signiant devops engineer.\nThe config.yaml file need to be modified before used.\n\n```bash\n$ python3 -m main.py -c \"/path/to/config.yaml\" -a rotate -u all\n```\n\n## Running LOCK using Docker 🐳\n\nPull the docker container:\n\n```bash\ndocker pull signiant/lock\n```\n\nRun LOCK using a configuration file:\n\n```bash\ndocker run \\\n -v /config/config.yaml:/config.yaml \\\n signiant/lock \\\n -c /config.yaml \\ \n```\n\nIn this example, we use `-v` to mount `config.yaml` from a local folder to the root directory of the container, then pass the `-c` to read and use credentials from the configuration file.\n\n## Debugging\nUse the `-d` flag to the tool which will turn on more debug output:\n\n```bash\ndocker run -ti \\\n -v /config/myconfigfile.yaml:/config.yaml \\\n signiant/lock \\\n -c /config.yaml \\\n -d\n```\n\n## Typical Workflow\nThe tool runs functions sequentially in the order they appear for each different IAM user in the config file.\n\nA typical key rotation scenario consists of deleting an old key and generating a new one (get_new_key), storing the key in the parameter store (store_key_parameter_store) then updating the key where the service uses the credential (ssh_server_command)\n\nIn the `get_new_key` and `store_key_parameter_store` run from the IAM module, then the `ssh_server_command` is run from the SSH module.\n\n```\n\n- iam_user1:\n plugins:\n - iam:\n - get_new_key:\n - store_key_parameter_store\n - ssh:\n - ssh_server_command: \n hostname: 'your_ssh_server'\n user: 'user_name'\n password: 'super_secure_password'\n port: 22\n commands: \n - \"sed -i '1s/.*/aws_access_key_id = \u003cnew_key_name\u003e/' /credentials-folder/credentials\"\n - \"sed -i '2s/.*/aws_secret_access_key = \u003cnew_key_secret\u003e/' /credentials-folder/credentials\"\n```\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSigniant%2FLOCK","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSigniant%2FLOCK","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSigniant%2FLOCK/lists"}