From f006c81e6a888fd6bd3cc7bcaf62fefea7401acb Mon Sep 17 00:00:00 2001 From: Fayez Barbari Date: Mon, 20 Jan 2020 14:36:01 -0600 Subject: [PATCH] Use custom aws profile with Role to assume --- include/assume_role | 12 ++++++++---- prowler | 7 +++++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/include/assume_role b/include/assume_role index 0ff97610..4fedfb3d 100644 --- a/include/assume_role +++ b/include/assume_role @@ -27,7 +27,7 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX) # assume role command - $AWSCLI sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ + $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \ --role-session-name ProwlerAssessmentSession \ --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE @@ -41,9 +41,13 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then exit 1 fi + # The profile shouldn't be used for CLI + PROFILE="" + PROFILE_OPT="" + # set env variables with assumed role credentials - AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') - AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') - AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') + export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') + export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') + export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') rm -fr $TEMP_STS_ASSUMED_FILE fi diff --git a/prowler b/prowler index 57315da3..e4e096d0 100755 --- a/prowler +++ b/prowler @@ -439,6 +439,13 @@ if [[ $CHECK_ID ]];then exit $EXITCODE fi +if [[ $ACCOUNT_TO_ASSUME ]]; then + # unset env variables with assumed role credentials + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + unset AWS_SESSION_TOKEN +fi + execute_all scoring