DEV Community: Niresh Prabu A

Automate AWS Access Key Rotation with GitHub Actions

Niresh Prabu A — Tue, 15 Jul 2025 08:23:30 +0000

Managing AWS credentials securely is crucial in any cloud-native application. Long-lived credentials can be a major security risk if not rotated regularly. In this post, we’ll automate AWS IAM access key rotation using GitHub Actions — and even trigger a production deployment after successful rotation.

Why Rotate AWS Access Keys?

AWS recommends rotating access keys every 90 days (or sooner) to:

Reduce the risk of key leakage
Prevent old keys from being used after a breach
Align with security audits and compliance requirements
Enforce good DevSecOps practicesAWS_ACCESS_KEY_ID_DEV

Instead of rotating keys manually, we can automate the entire process using GitHub Actions.

What We'll Do

Use softprops/aws-credential-rotary to rotate keys

Use repository_dispatch to trigger a downstream deployment pipeline

Keep environment-specific secrets updated

Follow clear naming conventions

Prerequisites

Before you begin, make sure you have:

An IAM user with programmatic access

Proper permissions to rotate and update access keys

A GitHub repository

Access to GitHub Secrets

IAM Permissions Required
Your IAM user (or role) needs the following permissions to rotate access keys:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey",
        "iam:CreateAccessKey",
        "iam:UpdateAccessKey"
      ],
      "Resource": "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
    }
  ]
}

Make sure to replace and with your actual values.

GitHub Secrets Naming Convention (Clear & Environment-Specific)

Store the following secrets in your GitHub repository:

AWS_ACCESS_KEY_ID_DEV: IAM Access Key ID (Dev)
AWS_SECRET_ACCESS_KEY_DEV: IAM Secret Access Key (Dev)
AWS_ACCESS_KEY_ID_PROD: IAM Access Key ID (Production)
AWS_SECRET_ACCESS_KEY_PROD: IAM Secret Access Key (Production)
AWS_KEYS_ROTATION_TOKEN: GitHub token with repo scope

To add these:

Go to your GitHub repo → Settings → Secrets and variables → Actions

Click New repository secret

Benefits of This Naming Convention:

Consistent with AWS naming
Easy to script with
Clear which secret belongs to which environment
Looks clean in workflows and secret lists

AWS Key Rotation Workflow (.github/workflows/rotate-aws-keys.yml)

name: Rotate AWS Keys

on:
  schedule:
    - cron: '0 1 * * 0'  # Every Sunday at 1 AM UTC

jobs:
  rotate-aws-keys:
    name: Rotate AWS Keys
    runs-on: ubuntu-latest
    steps:
      - name: Rotate AWS credentials - Dev
        uses: softprops/aws-credential-rotary@v1
        env:
          GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
        with:
          github-access-key-id-name: 'AWS_ACCESS_KEY_ID_DEV'
          github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_DEV'

      - name: Rotate AWS credentials - Prod
        uses: softprops/aws-credential-rotary@v1
        env:
          GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
        with:
          github-access-key-id-name: 'AWS_ACCESS_KEY_ID_PROD'
          github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_PROD'

      - name: Trigger Production Deployment
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          event-type: trigger-prod-deployment

This job:

Rotates both Dev and Prod IAM keys
Automatically updates the respective GitHub secrets
Triggers a production deployment using the repository_dispatch event

Deployment Workflow Listener
To listen for the event triggered after rotation, you’ll need this in your production deployment workflow:

name: Build & Deploy Application on Prod

on:
  workflow_dispatch:
  repository_dispatch:
    types: [trigger-prod-deployment]
  push:
    branches:
      - main
      - master

permissions:
  id-token: write
  contents: read

This ensures your prod deployment only runs:

On demand
On push to main/master
Or after key rotation

Why This Setup Works

Keeps your secrets rotated and fresh
Supports multiple environments (Dev & Prod)
Triggers deployment after a secure rotation
Keeps credentials safely in GitHub Secrets

Final Thoughts

Automating IAM key rotation is a must-have for any production-grade AWS setup. By combining GitHub Actions, good naming conventions, and secret rotation plugins, you can eliminate manual errors and reduce your attack surface.

Comprehensive Guide to Integrating SonarCloud with GitHub Projects

Niresh Prabu A — Tue, 13 Aug 2024 12:31:02 +0000

This blog post exemplifies how to integrate SonarCloud with GitHub to enhance code quality and security in your projects.

Sonarcloud

SonarCloud is a Software-as-a-Service (SaaS) code analysis tool designed to detect coding issues in 30+ languages, frameworks, and IaC platforms. By integrating directly with your CI pipeline or one of the supported DevOps platforms, your code is checked against an extensive set of rules that cover many attributes of code, such as maintainability, reliability, and security issues, on each merge/pull request.

Why SonarCloud Integration with GitHub is Essential for Your Projects

Integrating SonarCloud with GitHub is essential for maintaining high code quality and security in your projects. By automatically analyzing your code with every commit, SonarCloud identifies issues like bugs, code smells, and vulnerabilities early in the development process. This integration helps ensure that only clean, reliable code gets merged, reducing technical debt and preventing potential security risks. Ultimately, it fosters a culture of continuous improvement and accountability, leading to more robust and maintainable software

Prerequisites

Before integrating SonarCloud with your GitHub projects, there are a couple of prerequisites to ensure a smooth setup process:

Admin Access to the GitHub Repository:
- You must have administrative access to the GitHub repository you wish to integrate with SonarCloud. This access is necessary to configure repository settings, add secrets, and link the repository with SonarCloud.
SonarCloud Account Setup:
- You need to have a SonarCloud account to proceed. If you don't have one, you can easily set it up by signing in with your GitHub account. This method simplifies the process by directly linking your GitHub repositories to SonarCloud, making it easier to manage projects and streamline the integration process. Visit SonarCloud and choose the "Sign in with GitHub" option to create your account and get started.

Step-by-Step Guide: GitHub Integration with SonarCloud
a. Linking SonarCloud with GitHub

Sign in to SonarCloud: Go to SonarCloud and sign in using your GitHub account.
Create a new organization: Navigate to the "My Organizations" tab and create a new organization linked to your GitHub account.

Import your GitHub repository: After creating the organization, select "Analyze new project" and choose the GitHub repository you want to integrate with SonarCloud.

b. Generating and Adding Sonar Token in GitHub Secrets

Generate a Sonar Token:
- In SonarCloud, go to your account settings and generate a new token under "Security".
- Copy the token to a secure location.

Add Sonar Token to GitHub Secrets:
- In your GitHub repository, navigate to Settings > Secrets and variables > Actions.
- Click on New repository secret and name it SONAR_TOKEN.
- Paste the Sonar token generated earlier into the value field and save it.

4. CI/CD Pipeline Integration
a. Setting Up the CI/CD Pipeline:

Modify Your YAML File: In your repository, create or modify the .github/workflows/deployment.yml file to include SonarCloud analysis steps. Include this sonarcloud code scan step in the deployment yaml file.

Example configuration:

  SonarCloudSCan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
            fetch-depth: 0
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
              -Dsonar.organization=<your-organization-name>
              -Dsonar.projectKey=<your-project-key>
              -Dsonar.qualitygate.wait=true
              -X

5. Ensuring Code Quality Before Deployment

To ensure that your deployment only occurs when your code passes all quality checks, it's essential to add dependencies to your deployment step. This will prevent deployment if the code check fails, thereby maintaining the integrity and security of your application.

In your CI/CD pipeline configuration (.yml file), include the following step to make sure the deployment only happens after the SonarCloud scan are successful:

Deploy:
  needs: 
    - SonarCloudScan

jobs:
  SonarCloudSCan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
            fetch-depth: 0
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
              -Dsonar.organization=tridentsqa
              -Dsonar.projectKey=TridentSQA_pmo-api
              -Dsonar.qualitygate.wait=true
              -X

   Deploy:
    needs: 
      - SonarCloudSCan
    name: deploy the new image in ECS
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v1

 # Remaining deployment steps...........
....................................

6. Project Code Scan and Issue Resolution

After successfully integrating SonarCloud with your GitHub repository and setting up the CI/CD pipeline, your project's code will be automatically scanned by SonarCloud with every commit or pull request.

a. Viewing the Scan Results:

Access the SonarCloud Dashboard: From your dashboard, select the project that has been integrated with GitHub.
Review the Analysis Overview: The dashboard provides an overview of the code quality, including metrics like code coverage, bugs, vulnerabilities, and code smells.

Examine Detailed Reports: Click on specific issues to view detailed descriptions, including the lines of code affected and suggestions for fixing them.

b. Resolving Issues:

Prioritize Critical Issues: Start by addressing bugs and security vulnerabilities, as these can impact the stability and security of your application.
Follow SonarCloud's Recommendations: Each issue identified by SonarCloud comes with a recommended solution. Implement these fixes in your codebase.
Re-run the Analysis: After resolving issues, push your changes to GitHub. The CI/CD pipeline will trigger a new SonarCloud scan, and the updated results will be reflected in the dashboard.
Ensure Quality Gates are Passed: Quality gates are thresholds set in SonarCloud to enforce code quality standards. Make sure your project passes these gates before considering the work complete.