Open

2026-02-10 06:45:08 +00:00 · 2020-04-14 22:46:44 +02:00
parent 4ea1864365
commit f3664b56ec
3 changed files with 36 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -251,6 +251,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
                              (i.e.: ProwlerRole)
        -T                  session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
                              (i.e.: 43200)
+        -I                 External ID to be used when assuming roles (no mandatory)
        -h                  this help
    ```

@@ -264,6 +265,10 @@ Prowler uses the AWS CLI underneath so it uses the same authentication methods.
 ./prowler -A 123456789012 -R ProwlerRole
 ```

+```
+./prowler -A 123456789012 -R ProwlerRole -I 123456
+```
+
 > *NOTE 1 about Session Duration*: By default it gets credentials valid for 1 hour (3600 seconds). Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>`  to allow up to 12h (43200 seconds). To allow more than 1h you need to modify *"Maximum CLI/API session duration"* for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).

 > *NOTE 2 about Session Duration*: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
@@ -274,6 +279,10 @@ For example, if you want to get only the fails in CSV format from all checks reg
 ./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -b -M cvs -q -g rds
 ```

+```
+./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -I 123456 -b -M cvs -q -g rds
+```
+
 ### Custom folder for custom checks

 Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
@@ -552,3 +561,4 @@ NOTE: If you are interested in using Prowler for commercial purposes remember th
 **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**

 If you want to contact me visit <https://blyx.com/contact>
+
--- a/include/assume_role
+++ b/include/assume_role
@@ -25,11 +25,24 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then

    # temporary file where to store credentials
    TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)
+    
+    #Check if external ID has bee provided if so execute with external ID if not ignore
+    if [[ -z $ROLE_EXTERNAL_ID ]]; then
+        # assume role command
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+            --role-session-name ProwlerAssessmentSession \
+            --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
+    else 
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+            --role-session-name ProwlerAssessmentSession \
+            --duration-seconds $SESSION_DURATION_TO_ASSUME \
+            --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 
+    fi 

    # assume role command
-    $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
-        --role-session-name ProwlerAssessmentSession \
-        --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
+    #$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+    #    --role-session-name ProwlerAssessmentSession \
+    #    --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 

    # if previous command fails exit with the given error from aws-cli
    # this is likely to be due to session duration limit of 1h in case 
--- a/15
+++ b/15
@@ -85,13 +85,14 @@ USAGE:
      -R                  role name to assume in the account, requires -A and -T
                            (i.e.: ProwlerRole)
      -T                  session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
-                            (i.e.: 43200)
+                            (i.e.: 43200) 
+      -I                  External ID to be used when assuming roles (no mandatory), requires -A and -R.
      -h                  this help
  "
  exit
 }

-while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSx:A:R:T:" OPTION; do
+while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:" OPTION; do
   case $OPTION in
     h )
        usage
@@ -163,6 +164,9 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSx:A:R:T:" OPTION; do
     R )
        ROLE_TO_ASSUME=$OPTARG
        ;;
+     I )
+        ROLE_EXTERNAL_ID=$OPTARG
+        ;;
     T )
        SESSION_DURATION_TO_ASSUME=$OPTARG
        ;;
@@ -457,6 +461,10 @@ if [[ $CHECK_ID ]];then
  exit $EXITCODE
 fi

+execute_all
+scoring
+cleanTemp
+
 if [[ $ACCOUNT_TO_ASSUME ]]; then
  # unset env variables with assumed role credentials
  unset AWS_ACCESS_KEY_ID
@@ -465,7 +473,4 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
 fi


-execute_all
-scoring
-cleanTemp
 exit $EXITCODE