./cloudgoat create results in NoCredentialProviders

[omenking]

I run the following:

./cloudgoat.py create iam_privesc_by_rollback --profile cloudgoat

This is the error that results:

data.local_file.v5: Refreshing state...
data.local_file.v2: Refreshing state...
data.local_file.v4: Refreshing state...
data.local_file.v1: Refreshing state...
data.local_file.v3: Refreshing state...

Error: error validating provider credentials: error calling sts:GetCallerIdentity: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

  on provider.tf line 1, in provider "aws":
   1: provider "aws" {

Looking into the terraform script variables.tf looks like the following:

#Required: AWS Profile
variable "profile" {

}
#Required: AWS Region
variable "region" {
  default = "us-east-1"
}
#Required: CGID Variable for unique naming
variable "cgid" {

}
#Required: User's Public IP Address(es)
variable "cg_whitelist" {
  type = list

}

I am not familiar enough with Terraform and uncertain if I should see the variables correctly set here.

I did setup in my ~/.aws/credentials a profile and I did also run

./cloudgoat.py config profile

[omenking]

• [x] reset my credentials with no luck
• [x] escalated permissions to Admin access no change
• [x] Checked terraform version - terraform: stable 0.12.3 (bottled), HEAD (no issue appears to b here)
• [x] set default region in config, no change
• [x] Checked for typos in credentials or profile name no change

I guess I'm going to have to learn some terraform. 😞

[omenking]

it appears that terraform plan is being run by core/python/commands.py. Since it doesn't output the entire command it's hard for me to replicate to debug. Will check if there is a verbose mode in the code or just print out the full command before it runnings for me to attempt to debug.

[omenking]

printed out the params being passed to:

        plan_retcode, plan_stdout, plan_stderr = terraform.plan(
            capture_output=False,
            var={
                "cgid": cgid,
                "cg_whitelist": cg_whitelist,
                "profile": profile,
                "region": self.aws_region,
            },
            no_color=IsNotFlagged,
        )

They all look correct. Was not looking forward to debugging python today. 😞

[omenking]

so I ran terraform plan manually and provided a variables file and still the same error.

[omenking]

Testing my profile via the cli:

aws sts get-caller-identity --profile cloudgoat

It works. okay, maybe I will have to hardcode my secret access key and token into the provider to further test here.

[omenking]

hardcoding the access key and secret into the provider now gets me somewhere when running terraform plan.

It's hard to believe I am typing my profile incorrectly. I'm guessing I need to debug how terraform picks up profile for provider.

[omenking]

Hardcoding profile:

provider "aws" {
  region     = "us-east-1"
  profile    = "cloudgoat"
}

results in that error. hmm...

[omenking]

Terraform suggest you can specify the credential files if it fails to pick up:

provider "aws" {
  region     = "us-east-1"
  profile    = "cloudgoat"
  shared_credentials_file = "/Users/andrewbrown/.aws/credentials"
}

The result however is the same error.

[chrissparksnj]

having the same issue

[chrissparksnj]

finally got it

$ aws config --profile yourusername $ Access Key: xxxxxxxxxxxxxxx $ Secret Key: xxxxxxxxxxxxxxxx

Then in ~/cloudgoat/scenarios/iam_privesc_by_rollback/terraform/provider.tf make your provider block look like this.

provider "aws" {
      region = "us-east-1"
}

1. Remove the profile key.
2. Hardcode in the region.

Then run the ./cloudgoat.py --create iam_privesc_by_rollback command and your output should look like this.

Apply complete! Resources: 8 added, 0 changed, 0 destroyed.

Outputs:

cloudgoat_output_aws_account_id = xxxxxxxxxxxxxxxx
cloudgoat_output_raynor_access_key_id = xxxxxxxxxxxxxxxxxx
cloudgoat_output_raynor_secret_key = xxxxxxxxxxxxxx

[cloudgoat] terraform apply completed with no error code.

[cloudgoat] terraform output completed with no error code.

[cloudgoat] Output file written to:

[ghost]

@chrissparksnj @omenking

We've not been able to replicate this problem on our side, hence the lack of an immediate fix.

@chrissparksnj I don't want to merge your PR because removing the var for the profile will prevent CloudGoat from using the configured AWS CLI profile, and cause terraform to fall back to the default CLI profile. That could be very dangerous for people with "real" default profiles.

My hunch is that is due to some peculiarity in the formatting of the entries in your ~/.aws/credentials files. Would either of you be willing to share the literal contents of your credentials files? After redacting the keys, of course!

Another thing to confirm - does this issue happen for you guys in all scenarios, or just iam_privesc_by_rollback?

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/5044

[SyCode7]

I had this issue but realized the profile refers to the exact name of the AWS profile in use as defined in the credentials file. For example, if a credential file might has the following content:

[default] aws_access_key_id=xxxxx aws_secret_access_key=vvvvvv

the command should be like so: python ./cloudgoat.py create cloud_breach_s3 --profile default

[omenking]

These are not the real credentials but I left in the formating exactly the same:

[cloudgoat]
aws_access_key_id = ABCDEFGHIJKLMNOPQRST
aws_secret_access_key = 9t7d3AGdwnSYD18smZyK3UPnKEGYpBvqN87Acyf7

What I could try is putting this profile as the default and removing all other credentials to rule out what @SyCode7 is alluding to what could be the cause. But again I matching the exact name of the profile here.

[SyCode7]

@omenking could you try 'python ./cloudgoat.py --profile cloudgoat'? Not 'default' since you are using 'cloudgoat' as profile name.

[omenking]

@SyCode7 I have been using --profile cloudgoat See the original post. It's the first thing I run.

[ghost]

@omenking @chrissparksnj I think we have something here!

I was finally able to replicate the issue by doing the following:

1. Configure the AWS profile using a "normal" system user via the aws configure --profile <name> command. 2, Run the ./cloudgoat.py create <scenario> command as root.

Explanation:

AWS CLI profiles are stored in the home directory, which means they are not shared between users. When you run CloudGoat's create command as a particular user, it and the terraform sub-processes will only have access to the AWS CLI profiles for that user.

Solution:

Can you please verify whether you are running CloudGoat as the same user you used to configure the AWS CLI profile?

[T0xIN19]

error while running

./cloudgoat.py config profile Traceback (most recent call last): File "/home/toxin/cloudgoat/./cloudgoat.py", line 115, in from core.python.commands import CloudGoat ModuleNotFoundError: No module named 'core.python'