feat(aws)!: improve `aws_change_access_key` (#11378)

plugins/aws/README.md

 # aws
 
-This plugin provides completion support for [awscli](https://docs.aws.amazon.com/cli/latest/reference/index.html)
+This plugin provides completion support for [awscli v2](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html)
 and a few utilities to manage AWS profiles/regions and display them in the prompt.
+[awscli v1](https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html) is no longer supported.
 
 To use it, add `aws` to the plugins array in your zshrc file.
 
@@ -12,9 +13,9 @@ plugins=(... aws)
 ## Plugin commands
 
 * `asp [<profile>]`: sets `$AWS_PROFILE` and `$AWS_DEFAULT_PROFILE` (legacy) to `<profile>`.
-  It also sets `$AWS_EB_PROFILE` to `<profile>` for the Elastic Beanstalk CLI. It sets `$AWS_PROFILE_REGION` for display in `aws_prompt_info`. 
+  It also sets `$AWS_EB_PROFILE` to `<profile>` for the Elastic Beanstalk CLI. It sets `$AWS_PROFILE_REGION` for display in `aws_prompt_info`.
   Run `asp` without arguments to clear the profile.
-* `asp [<profile>] login`: If AWS SSO has been configured in your aws profile, it will run the `aws sso login` command following profile selection. 
+* `asp [<profile>] login`: If AWS SSO has been configured in your aws profile, it will run the `aws sso login` command following profile selection.
 
 * `asr [<region>]`: sets `$AWS_REGION` and `$AWS_DEFAULT_REGION` (legacy) to `<region>`.
   Run `asr` without arguments to clear the profile.
@@ -65,7 +66,7 @@ the current `$AWS_PROFILE` and `$AWS_REGION`. It uses four variables to control
 
 Source profile credentials in `~/.aws/credentials`:
 
-```
+```ini
 [source-profile-name]
 aws_access_key_id = ...
 aws_secret_access_key = ...
@@ -73,7 +74,7 @@ aws_secret_access_key = ...
 
 Role configuration in `~/.aws/config`:
 
-```
+```ini
 [profile source-profile-name]
 mfa_serial = arn:aws:iam::111111111111:mfa/myuser
 region = us-east-1

plugins/aws/aws.plugin.zsh

@@ -160,14 +160,39 @@ function aws_change_access_key() {
     return 1
   fi
 
-  echo "Insert the credentials when asked."
-  asp "$1" || return 1
-  AWS_PAGER="" aws iam create-access-key
-  AWS_PAGER="" aws configure --profile "$1"
+  local profile="$1"
+  # Get current access key
+  local original_aws_access_key_id="$(aws configure get aws_access_key_id --profile $profile)"
+
+  asp "$profile" || return 1
+  echo "Generating a new access key pair for you now."
+  if aws --no-cli-pager iam create-access-key; then
+    echo "Insert the newly generated credentials when asked."
+    aws --no-cli-pager configure --profile $profile
+  else
+    echo "Current access keys:"
+    aws --no-cli-pager iam list-access-keys
+    echo "Profile \"${profile}\" is currently using the $original_aws_access_key_id key. You can delete an old access key by running \`aws --profile $profile iam delete-access-key --access-key-id AccessKeyId\`"
+    return 1
+  fi
 
-  echo "You can now safely delete the old access key running \`aws iam delete-access-key --access-key-id ID\`"
+  read -q "yn?Would you like to disable your previous access key (${original_aws_access_key_id}) now? "
+  case $yn in
+    [Yy]*)
+      echo -n "\nDisabling access key ${original_aws_access_key_id}..."
+      if aws --no-cli-pager update-access-key --access-key-id ${original_aws_access_key_id} --status Inactive; then
+        echo "done."
+      else
+        echo "\nFailed to disable ${original_aws_access_key_id} key."
+      fi
+      ;;
+    *)
+      echo ""
+      ;;
+  esac
+  echo "You can now safely delete the old access key by running \`aws --profile $profile iam delete-access-key --access-key-id ${original_aws_access_key_id}\`"
   echo "Your current keys are:"
-  AWS_PAGER="" aws iam list-access-keys
+  aws --no-cli-pager iam list-access-keys
 }
 
 function aws_regions() {