botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

[chandu412]

Please make sure that you have checked the boxes:

• [ ] Pease review the Troubleshooting doc for additional details regarding your issue.
• [ ] Review the Quickstart guide
• [ ] Search for both open and closed issues regarding the problem you are experiencing
• [x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue: AWS, GCP, OpenStack, GitHub

Description of issue:

I did the set up of security monkey though docker in AWS and when i try to run monkey find_changes i am getting below error : "botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied"

I have checked all the roles and permission and created as same as in documents and given all the inline policies as stated in the Docs, I have gone though all the issues here but i didn't get the solution that i was looking for.

Thanks in Advance

[chandu412]

2019-08-19 10:16:46,881 INFO: [-->] Looking for changes in account: monkeytest, technology: alb [in /usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py:224] Traceback (most recent call last): File "/usr/local/bin/monkey", line 11, in load_entry_point('security-monkey==1.1.1', 'console_scripts', 'monkey')() File "/usr/local/lib/python2.7/dist-packages/security_monkey/manage.py", line 868, in main manager.run() File "/usr/local/lib/python2.7/dist-packages/flask_script/init.py", line 397, in run result = self.handle(sys.argv[0], sys.argv[1:]) File "/usr/local/lib/python2.7/dist-packages/flask_script/init.py", line 376, in handle return handle(app, *positional_args, *kwargs) File "/usr/local/lib/python2.7/dist-packages/flask_script/commands.py", line 145, in handle return self.run(args, kwargs) File "/usr/local/lib/python2.7/dist-packages/security_monkey/manage.py", line 91, in find_changes manual_run_change_finder(account_names, monitor_names) File "/usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py", line 199, in manual_run_change_finder find_changes(account, tech) File "/usr/local/lib/python2.7/dist-packages/security_monkey/task_scheduler/tasks.py", line 229, in find_changes (items, exception_map) = cw.slurp() or ([], {}) File "/usr/local/lib/python2.7/dist-packages/security_monkey/cloudaux_watcher.py", line 84, in slurp regions=self._get_regions(), conn_type='dict') File "/usr/local/lib/python2.7/dist-packages/security_monkey/cloudaux_watcher.py", line 45, in _getregions , regions = get_regions(account, self.service_name) File "/usr/local/lib/python2.7/dist-packages/security_monkey/decorators.py", line 183, in get_regions role = sts.assume_role(assume_role_kwargs) File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 661, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

[mikegrima]

Did you grant SecurityMonkeyInstanceProfile the proper sts:AssumeRole permissions? Your screenshots don't showcase it.

[chandu412]

Hi Mike, Thanks for the response. I have provided is as stated in the doc, please find the below screenshot.

[chandu412]

security monkey is working fine when I work it though a EC2 instance and able to scan the account with out any issues, but when I setup through docker [ which is business requirement ] and trying to scan I am getting permission issues.

[mikegrima]

Ohhh! That is expected.

You need to find a way to get the credentials from your instance onto the container.

[chandu412]

i didn't get you mike, I have passed the access key and secret key through secmonkey.env . can you help me to fix this issue.. its driving me crazy from days.

[mikegrima]

You won't be able to use IAM roles for this use case (unless you have some special metadata proxy thing running for your container, but let's not go there)

In your case, you will need to mint an IAM User, and create static keys. From there, you will need to set up your docker container to have the static keys available where boto expects them.

[mikegrima]

The best docs we have on this are here: https://github.com/Netflix/security_monkey/blob/develop/docs/docker.md

[chandu412]

I am trying with the same doc from days Mike.. got this issue which i am unable to fix. Another question, is it possible to scan multiple accounts with docker case ?

[mikegrima]

Yes -- you just need the credentials in your container, which for Docker, our recommendation is to make use of IAM static credentials.

While we understand that static credentials are not great, it's the easiest solution for something without direct access to the AWS metadata service.

Alternatively, you might want to investigate the use of Fargate or ECS.

[chandu412]

Ok Mike, thanks for your time. I will try it out today and will get back to you