ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix issue assuming role in regions with STS disabled

Browse Source
This commit is contained in:
Toni de la Fuente
2020-12-17 16:34:10 +01:00
parent 6ed6a47f8f
commit 91ce905a5a
3 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/assume_role
View File

@@ -31,13 +31,13 @@ assume_role(){
# assume role command
$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
--role-session-name ProwlerAssessmentSession \
--region $REGION \
--region $REGION_FOR_STS \
--duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE
else
$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
--role-session-name ProwlerAssessmentSession \
--duration-seconds $SESSION_DURATION_TO_ASSUME \
--region $REGION \
--region $REGION_FOR_STS \
--external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE
fi

30
include/whoami
View File

@@ -13,8 +13,30 @@
# Get whoami in AWS, who is the user running this shell script
GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION)
ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account')
# Get a list of all available AWS Regions
# sice describe-regions doesn't seem to work at me-south-1|eu-south-1|ap-east-1|af-south-1.
# Probably dased on https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
# when invoking regions with -r, those regions with STS disabled make GETCALLER fail then
# this if will filter them out (Africa (Cape Town), Asia Pacific (Hong Kong), Europe (Milan) and Middle East (Bahrain) ):
case "$REGION" in
me-south-1|eu-south-1|ap-east-1|af-south-1)
REGION_FOR_STS="us-east-1"
;;
*)
REGION_FOR_STS=$REGION
;;
esac
GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS)
if [[ $ACCOUNT_TO_ASSUME ]]; then
ACCOUNT_NUM=$ACCOUNT_TO_ASSUME
else
ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account')
fi
CALLER_ARN=$(echo $GETCALLER | jq -r '.Arn')
USER_ID=$(echo $GETCALLER | jq -r '.UserId')
AWS_PARTITION=$(echo $CALLER_ARN| cut -d: -f2)
@@ -28,10 +50,6 @@ getWhoami(){
exit $EXITCODE
fi
if [[ $ACCOUNT_TO_ASSUME ]]; then
ACCOUNT_NUM=$ACCOUNT_TO_ASSUME
fi
if [[ "$MODE" == "csv" ]]; then
if [[ 255 -eq $? ]]; then
# Failed to get own identity ... exit