search

Noovolari / leapp

Leapp is the DevTool to access your cloud
https://www.leapp.cloud/
Mozilla Public License 2.0
1.6k stars 146 forks source link

Limited role permissions for AWS plain account #76

Closed m-radzikowski closed 3 years ago

m-radzikowski commented 3 years ago

Describe the bug I have a private AWS account for which I use an user access key + secret key. This user has AdministratorAccess policy attached.

I've added it to Leapp as AWS account with "plain" auth method, and provided credentials. When I activate this account, I got correct response for the aws sts get-caller-identity with my user ARN.

But some commands fail. When I try to execute aws iam list-roles or aws iam get-role, I'm getting:

An error occurred (InvalidClientTokenId) when calling the ListRoles operation: The security token included in the request is invalid

When I set the same access key + secret key in the .aws/credentials file manually, both those commands work correctly.

Interestingly, this does not occur on the accounts to which I connect with another, truster account (through another federated account with SSO).

I know that Leapp generates temporary access credentials instead of putting raw access key + secret key in config. I looked briefly into commands and code and did not find anything that would justify the limited access on the first spot.

To Reproduce Steps to reproduce the behavior:

  1. Create IAM User on AWS
  2. Attach policy with full IAM access, like AdministratorAccess
  3. Generate access credentials
  4. Add this account in Leapp, selecting AWS -> plain, and providing those credentials
  5. Activate the account in Leapp
  6. Execute aws iam list-roles from CLI
  7. See error about invalid token

Expected behavior

Assumed role should have all the access the normal role has.

Desktop (please complete the following information):

Additional context

This problem is a deal-breaker because the Serverless Framework / CloudFormation uses those calls when deploying a Lambda function and its Role.

ericvilla commented 3 years ago

Hi @m-radzikowski, thanks for reaching out to us! When generating credentials for plain account, under the hood we call STS's get-session-token API, through which we generate short-term credentials that come with some limitations (if MFA information is not included in the request), as described in this link. In particular, I want to highlight a statement:

The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions: You cannot call any IAM API operations unless MFA authentication information is included in the request. You cannot call any STS API except AssumeRole or GetCallerIdentity.

To test if it behaves like described in the docs, try to set up MFA for the specific IAM User; remember to add the MFA device in the plain account configuration, otherwise Leapp will not ask you for the MFA token before generating short-term credentials.

I hope it makes sense now. I will leave this issue open until you confirm this behavior. If you think this needs furthr investigation, please let us know. In the meanwhile, thank you very much for your support!

m-radzikowski commented 3 years ago

Damn, I was looking in AWS docs but did not find it. Thank you! Enabling MTA in fact helps (also to protect my account πŸ˜‰ ).

andreacavagna01 commented 3 years ago

We will add this precious FAQ in the Wiki πŸ‘

urz9999 commented 3 years ago

Added under the security section

ericvilla commented 3 years ago

Hi everyone!

Since we've added the proper documentation section in the wiki, I consider this issue closed. Let me know if it does not make sense to you