prowler/include/assume_role

#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

assume_role(){

    PROFILE_OPT=$PROFILE_OPT_BAK
    if [[ "${PROFILE_OPT}" = "" ]]; then
        # If profile is not defined, restore original credentials from environment variables, if they exists!
        restoreInitialAWSCredentials
    fi
    
    # Both variables are mandatory to be set together
    if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then
        echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set"
        exit 1
    fi
    # if not session duration set with -T, then will be 1h.
    # In some cases you will need more than 1h.
    if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then
        SESSION_DURATION_TO_ASSUME="3600"
    elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then
        echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds"
        exit 1
    fi

    # temporary file where to store credentials
    TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)
    TEMP_STS_ASSUMED_ERROR=$(mktemp -t prowler.sts_assumed-XXXXXX)

    # check if role arn or role name
    if [[ $ROLE_TO_ASSUME == arn:* ]]; then
        PROWLER_ROLE=$ROLE_TO_ASSUME
    else
        PROWLER_ROLE=arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME
    fi

    # Check if external ID has bee provided if so execute with external ID if not ignore
    ROLE_EXTERNAL_ID_OPTION=""
    if [[ -n "${ROLE_EXTERNAL_ID}" ]]; then
        ROLE_EXTERNAL_ID_OPTION="--external-id ${ROLE_EXTERNAL_ID}"
    fi

    # Assume role
    if ! $AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
        --role-session-name ProwlerAssessmentSession \
        --duration-seconds $SESSION_DURATION_TO_ASSUME \
        --region $REGION_FOR_STS \
        "${ROLE_EXTERNAL_ID_OPTION}" > $TEMP_STS_ASSUMED_FILE 2>"${TEMP_STS_ASSUMED_ERROR}"
    then
        STS_ERROR="$(cat ${TEMP_STS_ASSUMED_ERROR} | tr '\n' ' ')"
        textFail "${STS_ERROR}"
        EXITCODE=1
        exit $EXITCODE
    fi
    
    # echo FILE WITH TEMP CREDS: $TEMP_STS_ASSUMED_FILE
    
    # The profile shouldn't be used for CLI
    PROFILE=""
    PROFILE_OPT=""   

    # Set AWS environment variables with assumed role credentials
    ASSUME_AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}")
    export AWS_ACCESS_KEY_ID=$ASSUME_AWS_ACCESS_KEY_ID
    ASSUME_AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey'  "${TEMP_STS_ASSUMED_FILE}")
    export AWS_SECRET_ACCESS_KEY=$ASSUME_AWS_SECRET_ACCESS_KEY
    ASSUME_AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken'  "${TEMP_STS_ASSUMED_FILE}")
    export AWS_SESSION_TOKEN=$ASSUME_AWS_SESSION_TOKEN
    ASSUME_AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601'  "${TEMP_STS_ASSUMED_FILE}")
    export AWS_SESSION_EXPIRATION=$ASSUME_AWS_SESSION_EXPIRATION
    # echo TEMP AWS_ACCESS_KEY_ID: $ASSUME_AWS_ACCESS_KEY_ID
    # echo TEMP AWS_SECRET_ACCESS_KEY: $ASSUME_AWS_SECRET_ACCESS_KEY
    # echo TEMP AWS_SESSION_TOKEN: $ASSUME_AWS_SESSION_TOKEN
    # echo EXPIRATION EPOCH TIME: $ASSUME_AWS_SESSION_EXPIRATION

    cleanSTSAssumeFile
}

cleanSTSAssumeFile() {
    rm -fr "${TEMP_STS_ASSUMED_FILE}"
    rm -fr "${TEMP_STS_ASSUMED_ERROR}"
}

backupInitialAWSCredentials() {

    if [[ $(printenv AWS_ACCESS_KEY_ID) && $(printenv AWS_SECRET_ACCESS_KEY) && $(printenv AWS_SESSION_TOKEN) ]]; then 
        INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID)
        INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY)
        INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN)
    fi    
}

restoreInitialAWSCredentials() {
    if [[ $INITIAL_AWS_ACCESS_KEY_ID && $INITIAL_AWS_SECRET_ACCESS_KEY && $INITIAL_AWS_SESSION_TOKEN ]]; then
        export AWS_ACCESS_KEY_ID=$INITIAL_AWS_ACCESS_KEY_ID
        export AWS_SECRET_ACCESS_KEY=$INITIAL_AWS_SECRET_ACCESS_KEY
        export AWS_SESSION_TOKEN=$INITIAL_AWS_SESSION_TOKEN
    else
        unset AWS_ACCESS_KEY_ID
        unset AWS_SECRET_ACCESS_KEY
        unset AWS_SESSION_TOKEN
    fi
}