Managing AWS credentials securely is crucial in any cloud-native application. Long-lived credentials can be a major security risk if not rotated regularly. In this post, we’ll automate AWS IAM access key rotation using GitHub Actions — and even trigger a production deployment after successful rotation.
Why Rotate AWS Access Keys?
AWS recommends rotating access keys every 90 days (or sooner) to:
- Reduce the risk of key leakage
- Prevent old keys from being used after a breach
- Align with security audits and compliance requirements
- Enforce good DevSecOps practicesAWS_ACCESS_KEY_ID_DEV
Instead of rotating keys manually, we can automate the entire process using GitHub Actions.
What We'll Do
Use softprops/aws-credential-rotary to rotate keys
Use repository_dispatch to trigger a downstream deployment pipeline
Keep environment-specific secrets updated
Follow clear naming conventions
Prerequisites
Before you begin, make sure you have:
An IAM user with programmatic access
Proper permissions to rotate and update access keys
A GitHub repository
Access to GitHub Secrets
IAM Permissions Required
Your IAM user (or role) needs the following permissions to rotate access keys:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:DeleteAccessKey",
"iam:CreateAccessKey",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_NAME>"
}
]
}
Make sure to replace and with your actual values.
GitHub Secrets Naming Convention (Clear & Environment-Specific)
Store the following secrets in your GitHub repository:
- AWS_ACCESS_KEY_ID_DEV: IAM Access Key ID (Dev)
- AWS_SECRET_ACCESS_KEY_DEV: IAM Secret Access Key (Dev)
- AWS_ACCESS_KEY_ID_PROD: IAM Access Key ID (Production)
- AWS_SECRET_ACCESS_KEY_PROD: IAM Secret Access Key (Production)
- AWS_KEYS_ROTATION_TOKEN: GitHub token with repo scope
To add these:
Go to your GitHub repo → Settings → Secrets and variables → Actions
Click New repository secret
Benefits of This Naming Convention:
- Consistent with AWS naming
- Easy to script with
- Clear which secret belongs to which environment
- Looks clean in workflows and secret lists
AWS Key Rotation Workflow (.github/workflows/rotate-aws-keys.yml)
name: Rotate AWS Keys
on:
schedule:
- cron: '0 1 * * 0' # Every Sunday at 1 AM UTC
jobs:
rotate-aws-keys:
name: Rotate AWS Keys
runs-on: ubuntu-latest
steps:
- name: Rotate AWS credentials - Dev
uses: softprops/aws-credential-rotary@v1
env:
GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
with:
github-access-key-id-name: 'AWS_ACCESS_KEY_ID_DEV'
github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_DEV'
- name: Rotate AWS credentials - Prod
uses: softprops/aws-credential-rotary@v1
env:
GITHUB_TOKEN: ${{ secrets.AWS_KEYS_ROTATION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
with:
github-access-key-id-name: 'AWS_ACCESS_KEY_ID_PROD'
github-secret-access-key-name: 'AWS_SECRET_ACCESS_KEY_PROD'
- name: Trigger Production Deployment
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
event-type: trigger-prod-deployment
This job:
- Rotates both Dev and Prod IAM keys
- Automatically updates the respective GitHub secrets
- Triggers a production deployment using the repository_dispatch event
Deployment Workflow Listener
To listen for the event triggered after rotation, you’ll need this in your production deployment workflow:
name: Build & Deploy Application on Prod
on:
workflow_dispatch:
repository_dispatch:
types: [trigger-prod-deployment]
push:
branches:
- main
- master
permissions:
id-token: write
contents: read
This ensures your prod deployment only runs:
- On demand
- On push to main/master
- Or after key rotation
Why This Setup Works
- Keeps your secrets rotated and fresh
- Supports multiple environments (Dev & Prod)
- Triggers deployment after a secure rotation
- Keeps credentials safely in GitHub Secrets
Final Thoughts
Automating IAM key rotation is a must-have for any production-grade AWS setup. By combining GitHub Actions, good naming conventions, and secret rotation plugins, you can eliminate manual errors and reduce your attack surface.
Top comments (0)