Problem with download function about cloudsplaining HOT 11 CLOSED

@kmcquade sorry for late response.
I did just try it out with cloudsplaining download --profile profilename and it worked out just fine. So my issue is gone.
Thank you for solving this issue.

from cloudsplaining.

@acidflash - see the first line:

Found credentials in shared credentials file: ~/.aws/credentials Enter MFA code for arn:aws:iam::XXXXXXX:mfa/XXXX: Refreshing temporary credentials failed during mandatory refresh period.

Same with the last line:

"/usr/local/Cellar/cloudsplaining/0.1.4/libexec/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.

Seems like you need to update your STS credentials for that profile.

from cloudsplaining.

@acidflash - see the first line:

Found credentials in shared credentials file: ~/.aws/credentials Enter MFA code for arn:aws:iam::XXXXXXX:mfa/XXXX: Refreshing temporary credentials failed during mandatory refresh period.

Same with the last line:

"/usr/local/Cellar/cloudsplaining/0.1.4/libexec/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.

Seems like you need to update your STS credentials for that profile.

Unfortunately, that is not the fault. When I use exactly the same profile when I do everything else in TF or other programs against AWS.
So the question really is whether cloudsplaining works with assume profile?
However, I can test to do new access key against that account and test run.

from cloudsplaining.

Hmmm. Ok. Would you mind elaborating more on your setup? If it’s running on your machine, whether you are using an SSO login command with AWS CLI, what the credentials file looks like, or anything else relevant.

I rely on boto3/botocore to handle the AWS login - and so far, it handles the usage and prioritization of credential loading methods (environment variables, EC2 metadata, credentials files). I assumed (no pun intended) that boto3 would also handle profiles that assume other roles, so this one has me a bit puzzled.

All the code for the download command is here, by the way. https://github.com/salesforce/cloudsplaining/blob/master/cloudsplaining/command/download.py#L46.

If anyone has some ideas as to the problem here, I’m all ears.

from cloudsplaining.

Of course.
I'm using MacOSX 10.15.5 and have aws-cli/2.0.26 Python/3.8.3 Darwin/19.5.0 botocore/2.0.0dev30 installed with brew.
We use assume roles so in my credentials file I only have:
cat credentials
[XX-XXX]
aws_access_key_id = XXX
aws_secret_access_key = XXX

cat config
[profile privat]
region=eu-north-1
source_profile=XX-XXX
role_arn=arn:aws:iam::123456789123:role/security
mfa_serial=arn:aws:iam::321987654321:mfa/acidflash

And when i change my profile i just use export AWS_PROFILE=privat
echo $AWS_PROFILE
And the output is
privat

Don't know if terraforming also runs with the same library for managing login, because it has similar problems when I try to use it.

Should I put an access key directly on account, it works, but when we do not work that way, there will be problems in our audit.

So in order to get the same thing started in any test, you have to have two AWS accounts. And a trust between them for which you can assume the role.
IAM account should be in account1 and in account2 there should only be one role and no IAM user.

I hope this information can give you more clarity on how my setup looks.

from cloudsplaining.

Right on. I’ll test some stuff out and get back to you. Quite puzzling.

Did you install Cloudsplaining with pip or with Homebrew?

from cloudsplaining.

Right on. I’ll test some stuff out and get back to you. Quite puzzling.

Did you install Cloudsplaining with pip or with Homebrew?

Homebrew

from cloudsplaining.

I can give some new input in this case.
I found if i run:
aws-vault exec ss-privat
bash-3.2$ cloudsplaining download
Found credentials in environment variables.
Saved results to default.json

So the i don´t know if this is a issue in aws-vault or cloudsplaining.

from cloudsplaining.

@acidflash , it looks like from what you showed above, it saved the Account authorization details to the default.json. Did that not work?

from cloudsplaining.

Just took a look at your original question. Instead of using export AWS_PROFILE='profilename', use this instead:

cloudsplaining download --profile profilename

That should work.

from cloudsplaining.

@acidflash - any chance you were able to try the above?

Hoping to clean up some of the remaining issues.

from cloudsplaining.