AWS Access Key & Secret Key Rotation via API?

keys
aws
api
security

#1

Hello CircleCI community!

We’re currently internally developing software to automatically rotate AWS access keys on our AWS accounts. This will allow our organization to do low-impact mass key regenerations on a regular schedule for higher security of our AWS account. Is it possible to use the CircleCI API to modify the AWS Access Keys and Secret Keys associated with a project?

I see that I can use the API to read & write the project’s environment variables, which could basically be used to do the same thing. But when a project has an AWS Access Key configured on its configuration UI, it doesn’t appear in the GET to /…/envvar, which makes me believe that using the envvar API is kinda conflicting with how AWS Access Keys are intended to be used on CircleCI.

Thanks all,

Mathieu


#2

Hey @mfenniak,

Thanks for this FR! It’s incredibly timely.

We’ll look into how our AWS integration works.

If you are interested, our team would be interested in a quick interview re: what you are trying to accomplish. We are working on idea of injecting secrets differently and keeping secrets consolidated at an org-level such that you can easily swap out resources based on what a project invokes and what the org says in terms of who/what can access resources.

You can email me at rishi+contexts@circleci.com to discuss more!


#3

Has there been any progress toward adding AWS key management to the API? I’m hoping to achieve the same thing as the original poster above.


#4

Hello,

This is a big blocker for us, too.
We have to rotate AWS keys regularly and not being able to do it in automated way stops us from using CircleCI on wider scale.

Any chance this can be resolved in near future?

Thanks!
Pawel


#5