Deactivate Expired AWS IAM Keys with Approval

Find expired AWS IAM access keys and then prompt the user for a decision to either deactivate them or keep them active and send an alert.


Docker daemon must be installed and running. Please see Install Docker Engine for more information.

Getting Started


Download and install Flowpipe ( and Steampipe ( Or use Brew:

brew install turbot/tap/flowpipe
brew install turbot/tap/steampipe

Install the AWS plugin with Steampipe:

steampipe plugin install aws

Steampipe will automatically use your default AWS credentials. Optionally, you can setup multiple accounts or customize AWS credentials.

Create a credential_import resource to import your Steampipe AWS connections:

vi ~/.flowpipe/config/aws.fpc
credential_import "aws" {
source = "~/.steampipe/config/aws.spc"
connections = ["*"]

For more information on importing credentials, please see Credential Import.

For more information on credentials in Flowpipe, please see Managing Credentials.


git clone
cd public_cloud/notify_new_aws_iam_access_keys


Start the Steampipe service:

steampipe service start

Start the Flowpipe server:

flowpipe server


By default, all messages will be sent to the terminal. You can setup an integration and a notifier to send the notification through email, Slack, or any other supported integration.

To send messages through email instead:

vi ~/.flowpipe/config/integrations.fpc
integration "email" "default" {
smtp_tls = "required"
smtps_port = 587
smtp_host = ""
smtp_username = ""
smtp_password = env("MY_EMAIL_PASSWORD")
from = ""
notifier "my_email" {
notify {
integration =
to = [""]

Then set the notifier variable:

cp flowpipe.fpvars.example flowpipe.fpvars
vi flowpipe.fpvars
# Set the notifier to use for inputs and messages
# Defaults to the "default" notifier
notifier = "my_email"