{"id":19769354,"url":"https://github.com/abiydv/sls-password-link","last_synced_at":"2026-05-16T07:11:33.761Z","repository":{"id":177337880,"uuid":"179483181","full_name":"abiydv/sls-password-link","owner":"abiydv","description":"Serverless stack to enable users to reset own passwords and retrieve it using a single use url.","archived":false,"fork":false,"pushed_at":"2019-04-06T10:45:45.000Z","size":28,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-02-28T11:04:13.245Z","etag":null,"topics":["aws","aws-apigateway","aws-lambda","aws-ssm","serverless","serverless-framework"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abiydv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-04T11:20:54.000Z","updated_at":"2022-04-18T10:34:34.000Z","dependencies_parsed_at":null,"dependency_job_id":"32487c14-777e-4871-b970-bc2d21ffe130","html_url":"https://github.com/abiydv/sls-password-link","commit_stats":null,"previous_names":["abiydv/sls-password-link"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/abiydv/sls-password-link","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abiydv%2Fsls-password-link","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abiydv%2Fsls-password-link/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abiydv%2Fsls-password-link/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abiydv%2Fsls-password-link/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abiydv","download_url":"https://codeload.github.com/abiydv/sls-password-link/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abiydv%2Fsls-password-link/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33093753,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T04:41:52.686Z","status":"ssl_error","status_checked_at":"2026-05-16T04:41:52.009Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-apigateway","aws-lambda","aws-ssm","serverless","serverless-framework"],"created_at":"2024-11-12T04:42:31.292Z","updated_at":"2026-05-16T07:11:33.751Z","avatar_url":"https://github.com/abiydv.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Serverless: Self-service : Reset password and retrieve it using one time link \n\n![servrless](https://github.com/abiydv/ref-docs/blob/master/images/logos/serverless_small.png)\n![py](https://github.com/abiydv/ref-docs/blob/master/images/logos/python_small.png)\n![cli](https://github.com/abiydv/ref-docs/blob/master/images/logos/aws-cli_small.png)\n![aws-lambda](https://github.com/abiydv/ref-docs/blob/master/images/logos/aws-lambda_small.png)\n![aws-apigateway](https://github.com/abiydv/ref-docs/blob/master/images/logos/aws-apig_small.png)\n![aws-ses](https://github.com/abiydv/ref-docs/blob/master/images/logos/aws-ses_small.png)\n![aws-ssm](https://github.com/abiydv/ref-docs/blob/master/images/logos/aws-ssm_small.png)\n\n## BACKGROUND\nAs often happens, users have to reset their password for different systems. Sending these passwords over email is not secure. I wrote this small utility which resets a user password and saves it in the AWS Parameter store and also emails a dynamically generated link to user to extract the password. As soon as the user extracts this password - it is no longer possible to retreive it again. The link stops working. Once setup and running, it does not need any manual intervention from admin teams.\n\nAn example use case is to allow IAM users to reset their passwords if they forget it rather than requesting someone else (admin team, maybe?) to do it.\n\nNeedless to say, this is NOT a full blown solution as you will need to take care of authentication and authorization of the api (currently it is public). Treat this more as a proof of concept to use/implement using native AWS services without adopting any additional tools.\n\n## ARCHITECTURE\nThis is a simplified view of the components being used. It is fairly lightweight and as part of a bigger setup, it probably wouldn't even be noticed w.r.t cost.\n![arch](https://github.com/abiydv/ref-docs/blob/master/images/arch/GH_PWD_LINK.png)\n\n## BEFORE YOU BEGIN\n#### 1. Serverless. \nInstall serverless, follow this [guide](https://serverless.com/framework/docs/providers/aws/guide/installation/)\n  \n#### 2. AWS Cli\nSetup aws cli with profiles matching environments/stages. A sample `~/.aws/credentials` file - \n```\n[dev]\naws_access_key_id = DEV_ACCESS_KEY\naws_secret_access_key = DEV_SECRET_KEY\n```\n\n## PREREQUISITES/ASSUMPTIONS \nYou can obviously tweak the solution to work for you, but for it to work right out of the box, following should be available\n - IAM user should exist.\n - IAM username should be the user's email.\n - You should be out of SES sandbox mode, otherwise users will not receive email with the link.\n\n## USAGE\n#### 1. Deploy the service \nDeploy the service. Use `--stage=qa|prod` to deploy the service in stages other than `dev`.\n```\nsls deploy -v\n```\n\n#### 2. Generate the password\nHit the apigateway endpoint url `https://apiendpoint.execute-api.region.amazonaws.com/dev/generate?user=username` with the query string `user=username` to generate the password. This will give you an output like this - \n```\nYour request has been submitted\n\nPlease check your email for further details\n```\n\nA sample email\n```\nFrom: no-reply@example.com\nSent: Monday, April 01, 2000 1:00 PM\nTo: username@example.com\nSubject: CONFIDENTIAL: Account information\n\nYou can retrieve your password from the link below. \n\nhttps://apiendpoint.execute-api.region.amazonaws.com/dev/extract?ph=2000040113001245\u0026rs=i093tN.3UOIW1YZsMi \n\nNOTE: This link is valid for a single use only. \n```\n\n#### 3. Extract the password\nUsing the link mentioned in the email `https://apiendpoint.execute-api.region.amazonaws.com/dev/extract?ph=2000040113001245\u0026rs=i093tN.3UOIW1YZsMi `, you can extract the password. This will give you an output like - \n```\nYour temporary password\n\nPlease use this to login and change your password\n\nABCD_\u0026abcd99 \n```\n\nIf you hit the same url again, it should now give you an error - \n```\nInvalid!\n\nThis link is expired or has been already used once\n```\n\n#### 4. Cleanup\n:rocket: Nuke the setup after you are done testing/looking.\n```\nsls remove -v\n```\n\n## SECURITY \nSince this is a mere proof-of-concept solution, before deploying it to a live environment, you should consider implementing security measures like (listing a few, there may be more) -\n - Authentication and authorization of the api, maybe using AWS Cognito.\n - Restricting the api to within your corporate network using WAF IP based rules.\n - Restricting lambda role IAM permissions to least possible, removing any * in the policy.\n - Using a custom KMS key for encryption and tightly controlling access to this key using IAM policies.\n \n## CONTACT\nDrop me a note or open an issue if something doesn't work out.\n\nCheers! :thumbsup:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabiydv%2Fsls-password-link","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabiydv%2Fsls-password-link","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabiydv%2Fsls-password-link/lists"}