Added feature to allow role ARN while using -R parameter @mmuller88

Added feature to allow role ARN while using -R parameter @mmuller88 #859
2026-02-10 14:55:00 +00:00 · 2021-09-13 19:01:15 +02:00
parent f3dcfe9f8e 36c4040a7f
commit a827504d58
2 changed files with 11 additions and 4 deletions
--- a/include/assume_role
+++ b/include/assume_role
@@ -26,22 +26,29 @@ assume_role(){
    # temporary file where to store credentials
    TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)

+    # check if role arn or role name
+    if [[ $ROLE_TO_ASSUME == arn:* ]]; then
+        PROWLER_ROLE=$ROLE_TO_ASSUME
+    else
+        PROWLER_ROLE=arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME
+    fi
+
    #Check if external ID has bee provided if so execute with external ID if not ignore
    if [[ -z $ROLE_EXTERNAL_ID ]]; then
        # assume role command
-        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
            --role-session-name ProwlerAssessmentSession \
            --region $REGION_FOR_STS \
            --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 2>&1
    else
-        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
            --role-session-name ProwlerAssessmentSession \
            --duration-seconds $SESSION_DURATION_TO_ASSUME \
            --region $REGION_FOR_STS \
            --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 2>&1
    fi
    if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then
-      textFail "Access Denied assuming role arn:${AWS_PARTITION}:iam::${ACCOUNT_TO_ASSUME}:role/${ROLE_TO_ASSUME}"
+      textFail "Access Denied assuming role $PROWLER_ROLE"
      rm -f $TEMP_STS_ASSUMED_FILE
      EXITCODE=1
      exit $EXITCODE
--- a/2
+++ b/2
@@ -92,7 +92,7 @@ USAGE:
      -q                  suppress info messages and passing test output
      -A                  account id for the account where to assume a role, requires -R and -T
                            (i.e.: 123456789012)
-      -R                  role name to assume in the account, requires -A and -T
+      -R                  role name or role arn to assume in the account, requires -A and -T
                            (i.e.: ProwlerRole)
      -T                  session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
                            (i.e.: 43200)