mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
113 lines
4.7 KiB
Bash
113 lines
4.7 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
assume_role(){
|
|
|
|
PROFILE_OPT=$PROFILE_OPT_BAK
|
|
if [[ "${PROFILE_OPT}" = "" ]]; then
|
|
# If profile is not defined, restore original credentials from environment variables, if they exists!
|
|
restoreInitialAWSCredentials
|
|
fi
|
|
|
|
# Both variables are mandatory to be set together
|
|
if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then
|
|
echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set"
|
|
exit 1
|
|
fi
|
|
# if not session duration set with -T, then will be 1h.
|
|
# In some cases you will need more than 1h.
|
|
if [[ -z $SESSION_DURATION_TO_ASSUME ]]; then
|
|
SESSION_DURATION_TO_ASSUME="3600"
|
|
elif [[ "${SESSION_DURATION_TO_ASSUME}" -gt "43200" ]] || [[ "${SESSION_DURATION_TO_ASSUME}" -lt "900" ]]; then
|
|
echo "$OPTRED ERROR!$OPTNORMAL - Role session duration must be more than 900 seconds and less than 4300 seconds"
|
|
exit 1
|
|
fi
|
|
|
|
# temporary file where to store credentials
|
|
TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)
|
|
TEMP_STS_ASSUMED_ERROR=$(mktemp -t prowler.sts_assumed-XXXXXX)
|
|
|
|
# check if role arn or role name
|
|
if [[ $ROLE_TO_ASSUME == arn:* ]]; then
|
|
PROWLER_ROLE=$ROLE_TO_ASSUME
|
|
else
|
|
PROWLER_ROLE=arn:${AWS_PARTITION}:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME
|
|
fi
|
|
|
|
# Check if external ID has bee provided if so execute with external ID if not ignore
|
|
ROLE_EXTERNAL_ID_OPTION=""
|
|
if [[ -n "${ROLE_EXTERNAL_ID}" ]]; then
|
|
ROLE_EXTERNAL_ID_OPTION="--external-id ${ROLE_EXTERNAL_ID}"
|
|
fi
|
|
|
|
# Assume role
|
|
if ! $AWSCLI $PROFILE_OPT sts assume-role --role-arn $PROWLER_ROLE \
|
|
--role-session-name ProwlerAssessmentSession \
|
|
--duration-seconds $SESSION_DURATION_TO_ASSUME \
|
|
--region $REGION_FOR_STS \
|
|
${ROLE_EXTERNAL_ID_OPTION} > $TEMP_STS_ASSUMED_FILE 2>"${TEMP_STS_ASSUMED_ERROR}"
|
|
then
|
|
STS_ERROR="$(cat ${TEMP_STS_ASSUMED_ERROR} | tr '\n' ' ')"
|
|
textFail "${STS_ERROR}"
|
|
EXITCODE=1
|
|
exit $EXITCODE
|
|
fi
|
|
|
|
# echo FILE WITH TEMP CREDS: $TEMP_STS_ASSUMED_FILE
|
|
|
|
# The profile shouldn't be used for CLI
|
|
PROFILE=""
|
|
PROFILE_OPT=""
|
|
|
|
# Set AWS environment variables with assumed role credentials
|
|
ASSUME_AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}")
|
|
export AWS_ACCESS_KEY_ID=$ASSUME_AWS_ACCESS_KEY_ID
|
|
ASSUME_AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' "${TEMP_STS_ASSUMED_FILE}")
|
|
export AWS_SECRET_ACCESS_KEY=$ASSUME_AWS_SECRET_ACCESS_KEY
|
|
ASSUME_AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' "${TEMP_STS_ASSUMED_FILE}")
|
|
export AWS_SESSION_TOKEN=$ASSUME_AWS_SESSION_TOKEN
|
|
ASSUME_AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601' "${TEMP_STS_ASSUMED_FILE}")
|
|
export AWS_SESSION_EXPIRATION=$ASSUME_AWS_SESSION_EXPIRATION
|
|
# echo TEMP AWS_ACCESS_KEY_ID: $ASSUME_AWS_ACCESS_KEY_ID
|
|
# echo TEMP AWS_SECRET_ACCESS_KEY: $ASSUME_AWS_SECRET_ACCESS_KEY
|
|
# echo TEMP AWS_SESSION_TOKEN: $ASSUME_AWS_SESSION_TOKEN
|
|
# echo EXPIRATION EPOCH TIME: $ASSUME_AWS_SESSION_EXPIRATION
|
|
|
|
cleanSTSAssumeFile
|
|
}
|
|
|
|
cleanSTSAssumeFile() {
|
|
rm -fr "${TEMP_STS_ASSUMED_FILE}"
|
|
rm -fr "${TEMP_STS_ASSUMED_ERROR}"
|
|
}
|
|
|
|
backupInitialAWSCredentials() {
|
|
if [[ $(printenv AWS_ACCESS_KEY_ID) && $(printenv AWS_SECRET_ACCESS_KEY) && $(printenv AWS_SESSION_TOKEN) ]]; then
|
|
INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID)
|
|
INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY)
|
|
INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN)
|
|
fi
|
|
}
|
|
|
|
restoreInitialAWSCredentials() {
|
|
if [[ $INITIAL_AWS_ACCESS_KEY_ID && $INITIAL_AWS_SECRET_ACCESS_KEY && $INITIAL_AWS_SESSION_TOKEN ]]; then
|
|
export AWS_ACCESS_KEY_ID=$INITIAL_AWS_ACCESS_KEY_ID
|
|
export AWS_SECRET_ACCESS_KEY=$INITIAL_AWS_SECRET_ACCESS_KEY
|
|
export AWS_SESSION_TOKEN=$INITIAL_AWS_SESSION_TOKEN
|
|
else
|
|
unset AWS_ACCESS_KEY_ID
|
|
unset AWS_SECRET_ACCESS_KEY
|
|
unset AWS_SESSION_TOKEN
|
|
fi
|
|
}
|