Comments (11)
@kmcquade sorry for late response.
I did just try it out with cloudsplaining download --profile profilename
and it worked out just fine. So my issue is gone.
Thank you for solving this issue.
from cloudsplaining.
@acidflash - see the first line:
Found credentials in shared credentials file: ~/.aws/credentials Enter MFA code for arn:aws:iam::XXXXXXX:mfa/XXXX: Refreshing temporary credentials failed during mandatory refresh period.
Same with the last line:
"/usr/local/Cellar/cloudsplaining/0.1.4/libexec/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
Seems like you need to update your STS credentials for that profile.
from cloudsplaining.
@acidflash - see the first line:
Found credentials in shared credentials file: ~/.aws/credentials Enter MFA code for arn:aws:iam::XXXXXXX:mfa/XXXX: Refreshing temporary credentials failed during mandatory refresh period.
Same with the last line:
"/usr/local/Cellar/cloudsplaining/0.1.4/libexec/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
Seems like you need to update your STS credentials for that profile.
Unfortunately, that is not the fault. When I use exactly the same profile when I do everything else in TF or other programs against AWS.
So the question really is whether cloudsplaining works with assume profile?
However, I can test to do new access key against that account and test run.
from cloudsplaining.
Hmmm. Ok. Would you mind elaborating more on your setup? If it’s running on your machine, whether you are using an SSO login command with AWS CLI, what the credentials file looks like, or anything else relevant.
I rely on boto3/botocore to handle the AWS login - and so far, it handles the usage and prioritization of credential loading methods (environment variables, EC2 metadata, credentials files). I assumed (no pun intended) that boto3 would also handle profiles that assume other roles, so this one has me a bit puzzled.
All the code for the download command is here, by the way. https://github.com/salesforce/cloudsplaining/blob/master/cloudsplaining/command/download.py#L46.
If anyone has some ideas as to the problem here, I’m all ears.
from cloudsplaining.
Of course.
I'm using MacOSX 10.15.5 and have aws-cli/2.0.26 Python/3.8.3 Darwin/19.5.0 botocore/2.0.0dev30 installed with brew.
We use assume roles so in my credentials file I only have:
cat credentials
[XX-XXX]
aws_access_key_id = XXX
aws_secret_access_key = XXX
cat config
[profile privat]
region=eu-north-1
source_profile=XX-XXX
role_arn=arn:aws:iam::123456789123:role/security
mfa_serial=arn:aws:iam::321987654321:mfa/acidflash
And when i change my profile i just use export AWS_PROFILE=privat
echo $AWS_PROFILE
And the output is
privat
Don't know if terraforming also runs with the same library for managing login, because it has similar problems when I try to use it.
Should I put an access key directly on account, it works, but when we do not work that way, there will be problems in our audit.
So in order to get the same thing started in any test, you have to have two AWS accounts. And a trust between them for which you can assume the role.
IAM account should be in account1 and in account2 there should only be one role and no IAM user.
I hope this information can give you more clarity on how my setup looks.
from cloudsplaining.
Right on. I’ll test some stuff out and get back to you. Quite puzzling.
Did you install Cloudsplaining with pip or with Homebrew?
from cloudsplaining.
Right on. I’ll test some stuff out and get back to you. Quite puzzling.
Did you install Cloudsplaining with pip or with Homebrew?
Homebrew
from cloudsplaining.
I can give some new input in this case.
I found if i run:
aws-vault exec ss-privat
bash-3.2$ cloudsplaining download
Found credentials in environment variables.
Saved results to default.json
So the i don´t know if this is a issue in aws-vault or cloudsplaining.
from cloudsplaining.
@acidflash , it looks like from what you showed above, it saved the Account authorization details to the default.json. Did that not work?
from cloudsplaining.
Just took a look at your original question. Instead of using export AWS_PROFILE='profilename'
, use this instead:
cloudsplaining download --profile profilename
That should work.
from cloudsplaining.
@acidflash - any chance you were able to try the above?
Hoping to clean up some of the remaining issues.
from cloudsplaining.
Related Issues (20)
- Provide option to flag all risky actions, regardless of resource constraints or conditions
- Multi-Account Scan Strips Leading Zeros From Account ID HOT 3
- Migrate from Vue 2 -> Vue 3 and upgrade dependencies HOT 4
- Not able to run the tool HOT 2
- It would be nice to have an inclusion specifying version of scanning
- Unable to scan multiple accounts HOT 1
- Add new read actions to detection list
- Incorrect Link in Docs
- Infrastructure Modification check ignores conditions set on policy HOT 6
- is this solution runnable within a lambda HOT 1
- (InvalidClientTokenId) when calling the GetAccountAuthorizationDetails operation HOT 5
- Unable to identify "Policy leveraged by Compute Service Role" HOT 1
- Rightsizing the broad IAM policies Automatically
- Unhandled exception when running multi-account scan HOT 3
- Cannot build due to pyyaml-6.0 errors
- problem with installation from brew
- TypeError: list indices must be integers or slices, not str (Windows 10) HOT 5
- Security Risk Assessment HOT 1
- ARN Not found HOT 2
- Automatically publish container to Docker Hub via GitHub Actions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudsplaining.