search

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.52k stars 820 forks source link

Role Chaining with source_identity broken in v7? #1251

Open seldon007 opened 3 months ago

seldon007 commented 3 months ago

I have a user account that are restricted to selfservice tasks without assuming any role. The user can assume a read-only role. The user can assume the admin role only when assumed the read-only role.

aws-vault config:

[profile readonly]
source_identity=user
role_arn=arn:aws:iam::##########:role/user-read-only
mfa_serial=arn:aws:iam::##########:mfa/phone1

[profile admin]
source_profile=readonly
role_arn=arn:aws:iam::##########:role/user-admin

The IAM user, roles, policies have been verified by manually assuming roles using aws-cli commands, so IAM setup works. It also works in aws-vault 6.6.1 but not in later aws-vault versions.

vault-6.6.1 Assuming readonly

~ aws-vault --debug exec readonly
2024/07/12 10:57:40 aws-vault v6.6.1
2024/07/12 10:57:40 Loading config file /home/my-name/.aws/config
2024/07/12 10:57:40 Parsing config file /home/my-name/.aws/config
2024/07/12 10:57:40 [keyring] Considering backends: [secret-service]
2024/07/12 10:57:40 profile readonly: using stored credentials
2024/07/12 10:57:40 profile readonly: using GetSessionToken (with MFA)
2024/07/12 10:57:40 profile readonly: using AssumeRole (chained MFA)
Enter MFA code for arn:aws:iam::##########:mfa/phone1: 937150
2024/07/12 10:57:51 Looking up keyring for 'readonly'
2024/07/12 10:57:51 Generated credentials ****************QTXY using GetSessionToken, expires in 59m59.503268263s
2024/07/12 10:57:51 Generated credentials ****************HI6R using AssumeRole, expires in 59m59.33296823s
2024/07/12 10:57:51 Setting subprocess env: AWS_DEFAULT_REGION=my-region, AWS_REGION=my-region
2024/07/12 10:57:51 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 10:57:51 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2024/07/12 10:57:51 Setting subprocess env: AWS_SESSION_EXPIRATION
2024/07/12 10:57:51 Exec command /usr/bin/zsh 
2024/07/12 10:57:51 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QAD55HAIIB:1720774660206393035",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-read-only/1720774660206393035"
}

Assuming admin

~ aws-vault  --debug exec admin   
2024/07/12 10:58:31 aws-vault v6.6.1
2024/07/12 10:58:31 Loading config file /home/my-name/.aws/config
2024/07/12 10:58:31 Parsing config file /home/my-name/.aws/config
2024/07/12 10:58:31 [keyring] Considering backends: [secret-service]
2024/07/12 10:58:31 profile readonly: using stored credentials
2024/07/12 10:58:31 profile readonly: using GetSessionToken (with MFA)
2024/07/12 10:58:31 profile readonly: using AssumeRole (chained MFA)
2024/07/12 10:58:31 profile admin: using AssumeRole 
2024/07/12 10:58:31 Re-using cached credentials ****************QTXY from sts.GetSessionToken, expires in 59m19.003197464s
2024/07/12 10:58:32 Generated credentials ****************LIOO using AssumeRole, expires in 59m59.840799801s
2024/07/12 10:58:32 Generated credentials ****************GY45 using AssumeRole, expires in 59m59.698689313s
2024/07/12 10:58:32 Setting subprocess env: AWS_DEFAULT_REGION=my-region, AWS_REGION=my-region
2024/07/12 10:58:32 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 10:58:32 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2024/07/12 10:58:32 Setting subprocess env: AWS_SESSION_EXPIRATION
2024/07/12 10:58:32 Exec command /usr/bin/zsh 
2024/07/12 10:58:32 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QDBW64CWWO:1720774711990579653",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-admin/1720774711990579653"
}

vault-7.2.0 Assuming admin role in 7.2.0 fails. Note: the IAM policies should be correct otherwise I would get denied in aws-cli + 6.6.1

Assuming readonly

~ aws-vault --debug exec readonly
2024/07/12 11:00:42 aws-vault v7.2.0
2024/07/12 11:00:42 Using prompt driver: terminal
2024/07/12 11:00:42 Loading config file /home/my-name/.aws/config
2024/07/12 11:00:42 Parsing config file /home/my-name/.aws/config
2024/07/12 11:00:42 [keyring] Considering backends: [secret-service]
2024/07/12 11:00:42 profile readonly: using stored credentials
2024/07/12 11:00:42 profile readonly: using AssumeRole (with MFA)
2024/07/12 11:00:42 Setting subprocess env: AWS_REGION=my-region, AWS_DEFAULT_REGION=my-region
Enter MFA code for arn:aws:iam::##########:mfa/phone1: 383718
2024/07/12 11:00:52 Looking up keyring for 'readonly'
2024/07/12 11:00:52 Generated credentials ****************W6PR using AssumeRole, expires in 59m59.545738104s
2024/07/12 11:00:52 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 11:00:52 Setting subprocess env: AWS_SESSION_TOKEN
2024/07/12 11:00:52 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2024/07/12 11:00:52 Starting subshell /usr/bin/zsh, use `exit` to exit the subshell
2024/07/12 11:00:52 Exec command /usr/bin/zsh 
2024/07/12 11:00:52 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QAD55HAIIB:1720774842460942516",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-read-only/1720774842460942516"
}

Assuming admin

~ aws-vault --debug exec admin   
2024/07/12 11:01:13 aws-vault v7.2.0
2024/07/12 11:01:13 Using prompt driver: terminal
2024/07/12 11:01:13 Loading config file /home/my-name/.aws/config
2024/07/12 11:01:13 Parsing config file /home/my-name/.aws/config
2024/07/12 11:01:13 [keyring] Considering backends: [secret-service]
2024/07/12 11:01:13 profile admin: sourcing credentials from profile readonly
2024/07/12 11:01:13 profile readonly: using stored credentials
2024/07/12 11:01:13 profile readonly: using AssumeRole (with MFA)
2024/07/12 11:01:13 profile admin: using AssumeRole 
2024/07/12 11:01:13 Setting subprocess env: AWS_REGION=my-region, AWS_DEFAULT_REGION=my-region
2024/07/12 11:01:13 Re-using cached credentials ****************W6PR from sts.AssumeRole, expires in 59m38.850033756s
aws-vault: error: exec: Failed to get credentials for admin: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 2fc0124b-a51c-4dcc-bba5-e0f462c63803, api error AccessDenied: User: arn:aws:sts::##########:assumed-role/user-read-only/1720774842460942516 is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::##########:role/user-admin