DEV Community

Niresh Prabu A
Niresh Prabu A

Posted on

Automate AWS Access Key Rotation with GitHub Actions

Managing AWS credentials securely is crucial in any cloud-native application. Long-lived credentials can be a major security risk if not rotated regularly. In this post, we’ll automate AWS IAM access key rotation using GitHub Actions — and even trigger a production deployment after successful rotation.

Why Rotate AWS Access Keys?

AWS recommends rotating access keys every 90 days (or sooner) to:

  • Reduce the risk of key leakage
  • Prevent old keys from being used after a breach
  • Align with security audits and compliance requirements
  • Enforce good DevSecOps practicesAWS_ACCESS_KEY_ID_DEV

Instead of rotating keys manually, we can automate the entire process using GitHub Actions.

What We'll Do

Use softprops/aws-credential-rotary to rotate keys

Use repository_dispatch to trigger a downstream deployment pipeline

Keep environment-specific secrets updated

Follow clear naming conventions

Prerequisites

Before you begin, make sure you have:

An IAM user with programmatic access

Proper permissions to rotate and update access keys

A GitHub repository

Access to GitHub Secrets

IAM Permissions Required
Your IAM user (or role) needs the following permissions to rotate access keys:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey",
        "iam:CreateAccessKey",
        "iam:UpdateAccessKey"
      ],
      "Resource": "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Make sure to replace and with your actual values.

GitHub Secrets Naming Convention (Clear & Environment-Specific)

Store the following secrets in your GitHub repository:

  • AWS_ACCESS_KEY_ID_DEV: IAM Access Key ID (Dev)
  • AWS_SECRET_ACCESS_KEY_DEV: IAM Secret Access Key (Dev)
  • AWS_ACCESS_KEY_ID_PROD: IAM Access Key ID (Production)
  • AWS_SECRET_ACCESS_KEY_PROD: IAM Secret Access Key (Production)
  • AWS_KEYS_ROTATION_TOKEN: GitHub token with repo scope

To add these:

Go to your GitHub repo → Settings → Secrets and variables → Actions

Click New repository secret

Benefits of This Naming Convention:

  • Consistent with AWS naming
  • Easy to script with
  • Clear which secret belongs to which environment
  • Looks clean in workflows and secret lists

AWS Key Rotation Workflow (.github/workflows/rotate-aws-keys.yml)

name: Rotate AWS Keys

on:
  schedule:
    - cron: '0 1 * * 0'  # Every Sunday at 1 AM UTC

jobs:
  rotate-aws-keys:
    name: Rotate AWS Keys
    runs-on: ubuntu-latest
    steps:
      - name: Rotate AWS credentials - Dev
        uses: softprops/aws-credential-rotary@v1
        env:
          GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
        with:
          github-access-key-id-name: 'AWS_ACCESS_KEY_ID_DEV'
          github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_DEV'

      - name: Rotate AWS credentials - Prod
        uses: softprops/aws-credential-rotary@v1
        env:
          GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
        with:
          github-access-key-id-name: 'AWS_ACCESS_KEY_ID_PROD'
          github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_PROD'

      - name: Trigger Production Deployment
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          event-type: trigger-prod-deployment

Enter fullscreen mode Exit fullscreen mode

This job:

  • Rotates both Dev and Prod IAM keys
  • Automatically updates the respective GitHub secrets
  • Triggers a production deployment using the repository_dispatch event

Deployment Workflow Listener
To listen for the event triggered after rotation, you’ll need this in your production deployment workflow:

name: Build & Deploy Application on Prod

on:
  workflow_dispatch:
  repository_dispatch:
    types: [trigger-prod-deployment]
  push:
    branches:
      - main
      - master

permissions:
  id-token: write
  contents: read
Enter fullscreen mode Exit fullscreen mode

This ensures your prod deployment only runs:

  • On demand
  • On push to main/master
  • Or after key rotation

Why This Setup Works

  • Keeps your secrets rotated and fresh
  • Supports multiple environments (Dev & Prod)
  • Triggers deployment after a secure rotation
  • Keeps credentials safely in GitHub Secrets

Final Thoughts

Automating IAM key rotation is a must-have for any production-grade AWS setup. By combining GitHub Actions, good naming conventions, and secret rotation plugins, you can eliminate manual errors and reduce your attack surface.

Top comments (0)