Comments (12)
This Line (in the test suite) also assumes the access key is used. I've patched locally to look like this:
if 'AWS_PROFILE' in os.environ:
self.profile_name = os.environ['AWS_PROFILE']
else:
self.profile_name = 'travislike' if creds['AccessKeyId'] == None else None
But that's horrible. :-)
from scoutsuite.
I believe this should work now.
from scoutsuite.
You are correct @l01cd3v . On upgrading opinel, it worked just fine with the external_id; your fix was it. Thanks a lot!
from scoutsuite.
I tried using this and hit a couple of problems.
Sometimes the config is aws_external_id some as external_id. Awscli uses the latter, but scout and anything else that uses opinel uses the former.
(If you do get a working configuration, the temporary credentials can be cached by awscli. This is good behaviour, but can be confusing for two consecutive tests.)
Scout2 has some code to parse cross account roles and it does work but it is not compatible with the awscli.
in ~/.aws/config I have
[yyy]
region=us-west-2
role_arn=arn:aws:iam::123456789012:role/cross_role_test
external_id=666
aws_external_id=666
source_profile=xxx
and in ~/.aws/credentials I have
[xxx]
region=us-west-2
aws_access_key_id=AIHFBAFHBAIHBFIAHFBIA
aws_secret_access_key=aljehrbfaiebrfiaebrfipebr
[zzz]
region=us-west-2
aws_access_key_id=AIHFBAFHBAIHBFIAHFBIA
aws_secret_access_key=aljehrbfaiebrfiaebrfipebr
region=us-west-2
role_arn=arn:aws:iam::123456789012:role/cross_role_test
external_id=666
source_profile=zzz
So the following commands work
aws --profile=zzz ec2 describe-instances —debug
Scout2 --no-browser --force --services ec2 --profile yyy
but
Scout2 --no-browser --force --services ec2 —profile zzz
goes into a stack death loop and
aws --profile=yyy ec2 describe-instances —debug
doesn’t try the role.
So it is possible to write a config for scout2 but it is incompatible with one for awscli.
Probably a worse issue is that we have no way of passing in these parameters in the environment.
To use this from a script we would need to go back to overwriting the config for each set of credentials, which is not convenient.
I reported a ticket in opinel (nccgroup/opinel#26) and fix in nccgroup/opinel#27.
Currently all the travis tests fail, but I don’t think this is because of my code change.
I would appreciate some pointers about how to get that fix into opinel.
from scoutsuite.
Thanks !
This seems like a good solution. But I'm using multiple profiles, and would need to keep changing the env_var to match the one I need, hence need Scout2 to generalize well.
from scoutsuite.
The fix needs to go into opinel but it should be an easy one.
I use profiles and roles a lot, but never via environment variables. Can you paste how you'd expect to call the CLI exactly so that I can make sure the call to read_creds() behaves similarly?
from scoutsuite.
I use direnv, so I don't tend to need to fiddle with per-application settings. Highly recommended!
from scoutsuite.
Adding some more details. Pardon me @l01cd3v - I know your question is precise, but I wanted to share all the information I have so that there is no confusion here.
Here is an example of a credentials file that works for both aws cli and Scout2, as expected:
[profile0]
aws_region_name = us-west-2
aws_secret_access_key = asdfegerblahblahblahsomemore
aws_access_key_id = AKIASOMEKEYSTRING
aws_role_arn = arn:aws:iam::11111111111:role/my-awesome-role
aws_external_id = myextID
And by "works", I mean I can run the following commands easily:
Scout2 --no-browser --services vpc s3 ec2 iam --profile profile0
aws ec2 describe-instances --profile profile0
On the other hand, if my credentials file looks like the following, Scout2 fails (with exit code 42) but aws cli succeeds(using the same commands).
[profile0]
aws_region_name = us-west-2
aws_role_arn = arn:aws:iam::11111111111:role/my-awesome-role
aws_external_id = myextID
The reason cli works is that the ec2 instance where I'm running these commands has a role attached to it with a policy that grants it permissions to assume any role (as described in my initial question).
Thus, I would expect Scout2 to work as well.
Edit: Accidentally hit close and comment instead of just comment.
Edit2: Thanks @brunns for sharing direnv, it seems super-useful!
from scoutsuite.
Scout2 already supports cross account, but support for the external ID was lacking; Also, I believe it failed in your case because the role-based profiles are defined in the .aws/credentials file while the code only looks for these in the .aws/config file.
I created nccgroup/opinel#24 to track changes.
from scoutsuite.
Sorry @l01cd3v , red-herring! I think that this fix wasn't enough. The reason it worked locally with this fix was that I had this line commented out. If I don't provide an AccessKeyId
, and uncomment the said line(i.e the way it is), it still doesn't work.
from scoutsuite.
I'll have to spin up a test instance w/ a role that can assume other roles and give it a try.
Just FYI, the check for the access_key_id in Scout2 is legit and will remain no matter what. This is because when you use a role (via ec2 instance or assume-role), you end up receiving a short-lived access_key_id / secret / session_token combo. I need to look into why read_creds
won't work in this scenario.
from scoutsuite.
Closing this issue as we no longer rely on opinel for AWS authentication. You should now setup authentication as per usual. If you pass a named profile to scout (--profile
argument) then that's what scout will use, otherwise it will use boto's standard evaluation logic (https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html).
See #9 for change.
from scoutsuite.
Related Issues (20)
- Feature Request: suppress S3 "Bucket Access Logging Disabled" if data event logging is enabled
- Feature request: check for Lambda runtimes close to their deprecation dates
- Service is enabled in GCP but Scout throws an warning and error mentioning service not enabled.
- False negatives for Azure 'Key Vault Not Recoverable' rule HOT 1
- False negatives for Azure 'Key Vault Role Based Access Control Disabled' rule HOT 1
- Azure 'Blob Containers Allowing Public Access' results incorrectly labeled HOT 1
- Azure 'Access Keys Not Rotated' rule flags storage accounts with access key support disabled HOT 1
- Feature request: Move minimal permission policies to source repo
- Unit tests leak temporary file "tmp1.json"
- GCP - Failed to call fetch_all() for resource functions_v2: 'labels'
- ModuleNotFoundError: No Module named '_sqlite3' HOT 1
- AWS Credential Report detail view incorrectly flags disabled credentials HOT 1
- Feature request: AWS OpenSearch TLS policy
- Feature Request: AWS DynamoDB Tables using AWS-managed encryption keys
- AWS key rotation rule name is unclear HOT 1
- AWS EBS Volume Not Encrypted Detail View Highlighting HOT 1
- Cannot scan China 21v Azure via MFA login HOT 1
- Feature request: check that EC2 Instance types support network-level encryption
- Add coverage for EKS and ECR for AWS
- Bug: AWS KMS Customer Master Keys (CMKs) with Rotation Disabled for Asymmetric Keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scoutsuite.