Improved feature to refresh assume role credentials before it expires

include/assume_role

@@ -70,7 +70,7 @@ assume_role(){
     export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
     export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
     export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
-    export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')")
+    export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration'| sed 's/+00:00//g')")
     rm -fr $TEMP_STS_ASSUMED_FILE
 }
 

include/os_detector

@@ -112,13 +112,12 @@ gnu_convert_date_to_timestamp() {
   # if [ "$OSTYPE" == "linux-musl" ]; then
   #   date -D "%Y-%m-%dT%H:%M:%SZ" -d "$1" +%s
   # else
-    date -d "$1" +%s
+    date -u -d "$1" +%s
   # fi
 }
 
 bsd_convert_date_to_timestamp() {
-  echo $(( $(date -j -f %Y-%m-%dT%H:%M:%S "$1" +%s) + 3600 ))
-  # Change above is because epoch time generator in BSD is 1h less than in Linux ¯\_(ツ)_/¯
+  echo $(date -u -j -f %Y-%m-%dT%H:%M:%S "$1" +%s)
   #date -j -f "%Y-%m-%dT%H:%M:%S" "$1" "+%s"
 }
 

prowler

@@ -296,7 +296,7 @@ get_regions() {
   # Get list of regions based on include/whoami
   REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1)
   if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then
-    echo "Access Denied trying to describe regions"
+    echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation $OPTNORMAL"
     EXITCODE=1
     exit $EXITCODE
   fi
@@ -342,11 +342,14 @@ show_group_title() {
 
 # Function to execute the check
 execute_check() {
+
   if [[ $ACCOUNT_TO_ASSUME ]]; then
-    MINIMUM_REMAINING_TIME_ALLOWED=$(($SESSION_DURATION_TO_ASSUME / 10 ))
+    # Following logic looks for time remaining in the session and review it 
+    # if it is less than 600 seconds, 10 minutes.
     CURRENT_TIMESTAMP=$(date -u "+%s")
-    SESSION_CUTOFF=$(($CURRENT_TIMESTAMP + $MINIMUM_REMAINING_TIME_ALLOWED))
-    if [[ $AWS_SESSION_EXPIRATION < $SESSION_CUTOFF ]]; then
+    SESSION_TIME_REMAINING=$(expr $AWS_SESSION_EXPIRATION - $CURRENT_TIMESTAMP)
+    MINIMUM_REMAINING_TIME_ALLOWED="600"
+    if [[ $MINIMUM_REMAINING_TIME_ALLOWED > $SESSION_TIME_REMAINING ]]; then
       unset AWS_ACCESS_KEY_ID
       unset AWS_SECRET_ACCESS_KEY
       unset AWS_SESSION_TOKEN