botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied about security_monkey HOT 11 CLOSED

2019-08-19 10:16:46,881 INFO: [-->] Looking for changes in account: monkeytest, technology: alb [in /usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py:224]
Traceback (most recent call last):
File "/usr/local/bin/monkey", line 11, in
load_entry_point('security-monkey==1.1.1', 'console_scripts', 'monkey')()
File "/usr/local/lib/python2.7/dist-packages/security_monkey/manage.py", line 868, in main
manager.run()
File "/usr/local/lib/python2.7/dist-packages/flask_script/init.py", line 397, in run
result = self.handle(sys.argv[0], sys.argv[1:])
File "/usr/local/lib/python2.7/dist-packages/flask_script/init.py", line 376, in handle
return handle(app, *positional_args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/flask_script/commands.py", line 145, in handle
return self.run(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/security_monkey/manage.py", line 91, in find_changes
manual_run_change_finder(account_names, monitor_names)
File "/usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py", line 199, in manual_run_change_finder
find_changes(account, tech)
File "/usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py", line 229, in find_changes
(items, exception_map) = cw.slurp() or ([], {})
File "/usr/local/lib/python2.7/dist-packages/security_monkey/cloudaux_watcher.py", line 84, in slurp
regions=self._get_regions(), conn_type='dict')
File "/usr/local/lib/python2.7/dist-packages/security_monkey/cloudaux_watcher.py", line 45, in _get_regions
_, regions = get_regions(account, self.service_name)
File "/usr/local/lib/python2.7/dist-packages/security_monkey/decorators.py", line 183, in get_regions
role = sts.assume_role(**assume_role_kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

from security_monkey.

Did you grant SecurityMonkeyInstanceProfile the proper sts:AssumeRole permissions? Your screenshots don't showcase it.

from security_monkey.

Hi Mike, Thanks for the response. I have provided is as stated in the doc, please find the below screenshot.

from security_monkey.

security monkey is working fine when I work it though a EC2 instance and able to scan the account with out any issues, but when I setup through docker [ which is business requirement ] and trying to scan I am getting permission issues.

from security_monkey.

Ohhh! That is expected.

You need to find a way to get the credentials from your instance onto the container.

from security_monkey.

i didn't get you mike, I have passed the access key and secret key through secmonkey.env . can you help me to fix this issue.. its driving me crazy from days.

from security_monkey.

You won't be able to use IAM roles for this use case (unless you have some special metadata proxy thing running for your container, but let's not go there)

In your case, you will need to mint an IAM User, and create static keys. From there, you will need to set up your docker container to have the static keys available where boto expects them.

from security_monkey.

The best docs we have on this are here: https://github.com/Netflix/security_monkey/blob/develop/docs/docker.md

from security_monkey.

I am trying with the same doc from days Mike.. got this issue which i am unable to fix.
Another question, is it possible to scan multiple accounts with docker case ?

from security_monkey.

Yes -- you just need the credentials in your container, which for Docker, our recommendation is to make use of IAM static credentials.

While we understand that static credentials are not great, it's the easiest solution for something without direct access to the AWS metadata service.

Alternatively, you might want to investigate the use of Fargate or ECS.

from security_monkey.

Ok Mike, thanks for your time. I will try it out today and will get back to you

from security_monkey.