'Find the owner of an AWS Access Key
I have a service which uses an AWS Access Key to push stuff to S3. I am going to sunset the service and I have the AWS Access Key and Secret. However, I can't find this key in the IAM or security credentials for the account.
Is there a way to enumerate all the access keys for an entire AWS account?
Solution 1:[1]
If you don't have access to your account's primary access key, but you do have an access key with sufficient access to IAM, you can enumerate all the users in the account and then list the access keys for each of them. For example:
for user in $(aws iam list-users --output text | awk '{print $NF}'); do
aws iam list-access-keys --user $user --output text
done
Solution 2:[2]
If you just want to find the owner of the Access Key ID, a more straightforward trick is just to use AWS CLI with the key id and key to access a random AWS service. AWS CLI will throw an Access Denied error which has full details of the owner info of the Access Key as shown below:
$ aws iam get-user
An error occurred (AccessDenied) when calling the GetUser operation:
User: arn:aws:iam::xxxxxxx:user/xxxx is not authorized to perform:
iam:GetUser on resource: user xxxxx
From the error message, you will have the account id, the user name.
If the user has permission to access IAM, you will get the full details of the user as below:
{
"User": {
"Path": "/",
"UserName": "xxx",
"UserId": "xxx",
"Arn": "arn:aws:iam::75xxx:user/xxx",
"CreateDate": "2019-09-10T07:10:26+00:00",
"PasswordLastUsed": "2020-05-26T07:51:50+00:00"
}
}
Update
A new command provided by AWS is here:
$ aws sts get-caller-identity
{
"UserId": "AIDASYJLxxxxx",
"Account": "18xxxxxxxxxx",
"Arn": "arn:aws:iam::18xxxxxxxxx:user/xxxxxxx"
}
Solution 3:[3]
Reverse lookup in web console
In case you don't have the patience or confidence to create a script, it's easy to miss that you can do a reverse lookup to find the user who owns a certain key.
https://console.aws.amazon.com/iam/home?region=us-east-1#/users
Solution 4:[4]
I like the solution of Jonathan Kamens but the code returns a list of all keys and theirs owners.
I made a shell script for get the username by Access Key Id. Look:
#!/bin/bash
# exit when the command fails
set -o errexit;
# exit when try to use undeclared var
set -o nounset;
accessKeyToSearch=${1?"Usage: bash $0 AccessKeyId"}
for username in $(aws iam list-users --query 'Users[*].UserName' --output text); do
for accessKeyId in $(aws iam list-access-keys --user-name $username --query 'AccessKeyMetadata[*].AccessKeyId' --output text); do
if [ "$accessKeyToSearch" = "$accessKeyId" ]; then
echo $username;
break;
fi;
done;
done;
You can see also script in my GitHub Gist: https://gist.github.com/cauealvesbraz/1121c0a0375648db13b137b31ef8955d
Solution 5:[5]
To answer the question posed in the title "Find the owner of an AWS Access Key", check the owner, and therefore the existence of a key with:
aws iam get-access-key-last-used --access-key-id $AWS_ACCESS_KEY_ID --query 'UserName' --output text
Note that it will return an exit code of zero if found, and non-zero if not. This was the approach suggested in a comment to the current accepted answer by @dols3m, and more details are in the docs for get-access-key-last-used.
To enumerate all keys in an account, do this:
for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do
aws iam list-access-keys --user $user --query "AccessKeyMetadata[].AccessKeyId" --output text
done
See the docs for list-users and list-access-keys for more info.
Solution 6:[6]
You can use the AWS command line interface to enumerate all access keys for a particular account.
The steps are shown here with a few examples.
If you don't specify an IAM user-name and are using your account's primary access key to trigger the request, it should list all those associated with your AWS account.
Solution 7:[7]
? aws --profile my-aws-account iam get-user
{
"User": {
"Path": "/",
"UserName": "my-username",
"UserId": XXXXXX",
"Arn": "arn:aws:iam::000000000000:user/my-username",
"CreateDate": "2019-10-27T08:53:53Z"
}
}
aws iam get-user --query 'User.Arn'
Solution 8:[8]
You can list all access keys by the following command:
aws iam list-access-keys
then you can grep it by the user.
To list just a keys, try (increase 100
if you've more users):
while read meta key date status user; do
echo $key;
done < <(aws iam list-access-keys --output text --page-size 100)
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Jonathan Kamens |
Solution 2 | |
Solution 3 | |
Solution 4 | Cau |
Solution 5 | harschware |
Solution 6 | Nikhil |
Solution 7 | Pierozi |
Solution 8 | kenorb |