ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d272fad4c2b016e9d49c4109b0b8d267d5439592
prowler/include/assume_role

92 lines
4.0 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
# both variables are mandatory to be set together
assume_role(){
if [[ -z $ROLE_TO_ASSUME ]]; then
echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set"
exit 1
fi
# if not session duration set with -T, then will be 1h.
# In some cases you will need more than 1h.
if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then
SESSION_DURATION_TO_ASSUME="3600"
elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then
echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds"
exit 1
fi
# temporary file where to store credentials
TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)
# check if role arn or role name
if [[ $ROLE_TO_ASSUME == arn:* ]]; then
PROWLER_ROLE=$ROLE_TO_ASSUME
else
PROWLER_ROLE=arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME
fi
#Check if external ID has bee provided if so execute with external ID if not ignore
if [[ -z $ROLE_EXTERNAL_ID ]]; then
# assume role command
$AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
--role-session-name ProwlerAssessmentSession \
--region $REGION_FOR_STS \
--duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 2>&1
else
$AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
--role-session-name ProwlerAssessmentSession \
--duration-seconds $SESSION_DURATION_TO_ASSUME \
--region $REGION_FOR_STS \
--external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 2>&1
fi
if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then
textFail "Access Denied assuming role $PROWLER_ROLE"
EXITCODE=1
exit $EXITCODE
elif [[ "$(grep MaxSessionDuration $TEMP_STS_ASSUMED_FILE)" ]]; then
textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}"
EXITCODE=1
exit $EXITCODE
fi
# assume role command
#$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
# --role-session-name ProwlerAssessmentSession \
# --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE
# if previous command fails exit with the given error from aws-cli
# this is likely to be due to session duration limit of 1h in case
# of assume role chaining:
# "The requested DurationSeconds exceeds the 1 hour session limit
# for roles assumed by role chaining."
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
if [[ $? != 0 ]];then
exit 1
fi
# The profile shouldn't be used for CLI
PROFILE=""
PROFILE_OPT=""
# set env variables with assumed role credentials
export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601')
cleanSTSAssumeFile
}
cleanSTSAssumeFile() {
rm -fr "${TEMP_STS_ASSUMED_FILE}"
}
Reference in New Issue View Git Blame Copy Permalink