When this script is called with the parameter to deploy new users it will:
- Retrieve a list of IAM users which are member of a group. This group should be named as '<aws_alias>_ssh'
- Download the available SSH keys from IAM (available in the console under CodeCommit deploy keys)
- Create a local group on the instance
- Create local users on the instance
- Write downloaded SSH keys to ~/.ssh/authorized_keys for each user
- Configure sudo to allow root-access for the users
This script can be run periodically. It will execute the steps above, but also would locallly delete users which are deleted in IAM.
When this script is called with the parameter to undeploy new users it will:
- Delete all users which are member of the group
- Delete the group
There is a filter to prevent deletion of certain system users.
$ sudo pip install -r requirements.txt
This script is written to be used on an EC2 instance. This instance must launched with an instance role and a proper policy attached to make API calls to IAM.
$ sudo ./src/sync_users.py start
$ sudo ./src/sync_users.py stop
- Create deployable packages
- Provide initscripts, cronjobs, etc.
- Allow cross-account IAM access