When run using org mode, the first member account will be scanned. All of the other accounts will fail.
Expected behavior
It should scan all of the member accounts
Current behavior
Warning: Failed to assume role into Member Account …, skipping ...
If you remove the 2>/dev/null which discards the error output from the aws sts assume-role command you'll see this additional detail:
Unable to locate credentials. You can configure credentials by running "aws configure".
Possible solution
Reviewing the code from #2, I believe the problem is related to the way assume_role() overwrites its current credentials with the assumed role credentials, which allows that account to be scanned but then causes all subsequent accounts to fail since you'd need to call sts:AssumeRole using the original credentials.
Run resource-count-aws.sh org with credentials in the Organization master account for an IAM user which has permission to assume the OrganizationAccountAccessRole in each member account.
Describe the bug
When run using org mode, the first member account will be scanned. All of the other accounts will fail.
Expected behavior
It should scan all of the member accounts
Current behavior
If you remove the
2>/dev/null
which discards the error output from theaws sts assume-role
command you'll see this additional detail:Possible solution
Reviewing the code from #2, I believe the problem is related to the way
assume_role()
overwrites its current credentials with the assumed role credentials, which allows that account to be scanned but then causes all subsequent accounts to fail since you'd need to callsts:AssumeRole
using the original credentials.https://github.com/PaloAltoNetworks/pcs-sizing-scripts/blob/73fbe9aa46d16a0b41d985cd792d4a9353436b4b/aws/resource-count-aws.sh#L266-L279
Steps to reproduce
resource-count-aws.sh org
with credentials in the Organization master account for an IAM user which has permission to assume the OrganizationAccountAccessRole in each member account.