From 24bc555494858de03b0a4031db508c078d07b6e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guillaume=20Cor=C3=A9?= Date: Fri, 17 Nov 2023 13:14:21 +0100 Subject: [PATCH] Detach MFA devices from users --- .../tasks/global_manual_cleanup.yml | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/playbooks/roles/infra-aws-sandbox/tasks/global_manual_cleanup.yml b/playbooks/roles/infra-aws-sandbox/tasks/global_manual_cleanup.yml index 87c32c7b..15be9d41 100644 --- a/playbooks/roles/infra-aws-sandbox/tasks/global_manual_cleanup.yml +++ b/playbooks/roles/infra-aws-sandbox/tasks/global_manual_cleanup.yml @@ -1,10 +1,20 @@ --- -# IAM -- name: Delete all signing-certificates - shell: | - set -e -o pipefail - for user in $(aws --profile {{ account_profile | quote }} iam list-users --query 'Users[*].UserName' --output text); do - for cert in $(aws --profile {{ account_profile | quote }} iam list-signing-certificates --user-name $user --query 'Certificates[*].CertificateId' --output text); do - aws --profile {{ account_profile | quote }} iam delete-signing-certificate --user-name $user --certificate-id $cert - done - done +- environment: + AWS_ACCESS_KEY_ID: "{{ assumed_role.sts_creds.access_key }}" + AWS_SECRET_ACCESS_KEY: "{{ assumed_role.sts_creds.secret_key }}" + AWS_SECURITY_TOKEN: "{{ assumed_role.sts_creds.session_token }}" + ignore_errors: true + block: + # IAM + - name: Delete all signing-certificates and MFA devices + shell: | + set -e -o pipefail + for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do + for cert in $(aws iam list-signing-certificates --user-name $user --query 'Certificates[*].CertificateId' --output text); do + aws iam delete-signing-certificate --user-name $user --certificate-id $cert + done + + for k in $( {{ aws_cli }} iam list-mfa-devices --user-name "${user}" --query 'MFADevices[*].SerialNumber' --output text); do + {{ aws_cli }} iam deactivate-mfa-device --user-name "${user}" --serial-number $k + done + done