Unable to apply terraform while using `aws-vault`

[za]

What is not working?

Hello there,

I am using aws-vault to securing access and secret key as written in examples here. I've no issue running aws sts get-caller-identity but when I run this, it fails while applying the terraform code.

➜  ~ stratus detonate aws.credential-access.ec2-steal-instance-credentials                                                          
2024/11/15 14:19:56 Checking your authentication against AWS
2024/11/15 14:19:57 Creating /home/za/.stratus-red-team as it doesn't exist yet
2024/11/15 14:19:57 Installing Terraform in /home/za/.stratus-red-team/terraform
2024/11/15 14:20:01 Note: This is a slow attack technique, it might take a long time to warm up or detonate
2024/11/15 14:20:01 Warming up aws.credential-access.ec2-steal-instance-credentials
2024/11/15 14:20:01 Initializing Terraform to spin up technique prerequisites
2024/11/15 14:20:15 Applying Terraform to spin up technique prerequisites
2024/11/15 14:22:00 Error during warm up. Cleaning up technique prerequisites with terraform destroy
2024/11/15 14:23:01 unable to run terraform apply on prerequisite: unable to apply Terraform: exit status 1

Error: failed creating IAM Role (stratus-red-team-ec2-steal-credentials-role): InvalidClientTokenId: The security token included in the request is invalid
        status code: 403, request id: <snipped>

  with aws_iam_role.instance-role,
  on main.tf line 63, in resource "aws_iam_role" "instance-role":
  63: resource "aws_iam_role" "instance-role" {

I can detonate the attach if I am not using aws-vault.

What OS are you using? WSL (Ubuntu Jammy) on Windows

What is your Stratus Red Team version?

$ stratus version
2.19.1

Files in $HOME/.stratus-red-team? ls -lahR

/home/za/.stratus-red-team:
total 60M
drwxr--r--  3 za za 4.0K Nov 15 14:20 .
drwxr-x--- 32 za za 4.0K Nov 15 14:45 ..
drwxr--r--  3 za za 4.0K Nov 15 14:36 aws.credential-access.ec2-steal-instance-credentials
-rwx------  1 za za  60M Nov 15 14:20 terraform

Thanks

[christophetd]

Can you share the aws-vault command you've been using? You might need to add --no-session (e.g. aws-vault exec yourprofile --no-session if using long-lived IAM user credentials

[za]

OK, it works now @christophetd after adding --no-session. Thanks! I am closing the issue now.

[za]

FTR: it has been mentioned on README https://github.com/DataDog/stratus-red-team/blob/1dfcf0c2bda8b6eed94882faf4a2db3d6a1c933e/docs/user-guide/examples.md?plain=1#L13