Closed jeremyjturner closed 4 years ago
I have a similar error message when I use the role assumed with MFA.
Also, I got Missing both lambda:GetFunction and lambda:GetFunctionConfiguration
. Not sure if it even the same problem or not.
Hey @jeremyjturner, thanks a lot for this detailed report! I am not sure at all why this is happening. Some investigation effort is needed to get to the bottom of this. I've put it in our backlog and will try to include a fix in the next release.
Hey @antonbabenko, thanks for confirming the issue.
You are getting that message because AWS keys that LambdaGuard uses do not have either permission allowed. So it can't get function info.
I verified that I am having those permissions and retries couple of times. There should be something else.
Hey @antonbabenko and @adeptex .
I am also getting the Missing both lambda:GetFunction and lambda:GetFunctionConfiguration error message. I did some troubleshooting and ran into some really, really weird results.
First off, the profile that I am running lambdaguard under definitely has the correct permissions - I verified through the AWS console and I am able to run both commands successfully from the AWS cli. By inserting various print() statements in the source code, I noticed that the list_policies_granting_service_access() call from the get_user_permissions() function in lambdaguard/utils/acl.py does not run on the profile that I specified through the --profile flag. Instead it runs against my default profile. Therefore, the call returns "error: An error occurred (NoSuchEntity) when calling the ListPoliciesGrantingServiceAccess operation: ARN arn:aws:iam::user/USER does not exist.", (note that I substituted USER for the actual user info). I verified that it runs on my default profile by inserting another self.client call right before it, and the results I get back are from the AWS environment configured under the default profile. So it's no surprise that that user isn't found, and therefore that the permissions aren't found.
The really weird thing is that I have no idea why this is happening. Again, by inserting print statements in various places I consistently see that the program is accepting the correct profile, is using the correct keys, has the correct ARN stored in the correct variables.... Everything looks perfectly fine right until those self.client calls are made, and then all of a sudden it's not running against the right profile.
I verified this problem on two separate virtual machines. Then I had a co-worker run the program for me instead, and it worked for him right out of the box without issues.
Please let me know what output I can provide you to help troubleshoot this problem.
Note that it's possible to bypass this issue by saving the access keys to the default AWS profile.
I can confirm:
self.acl = ACL(self.caller['Arn'], profile, access_key_id, secret_access_key)
fixed the issue for me. I think, the issue is caused by missing propagation of profile and keys at this point. But to be honest: I'm neither deep enough in the code nor in the AWS CLI at all to understand whats going on (eg. why is self.caller['Arn']
passed in this line instead of arn
).Hope this helps to debug the issue!
Thanks so much for the awesome tool otherwise, @adeptex
I had the same issue with passing --keys
. I was able to reproduce in a fork of the project and found the issue. Thanks to @dhaug-op , the ACL
class was the only class that needed these parameters for the base AWS
class.
We got the same Missing both lambda:GetFunction and lambda:GetFunctionConfiguration
error with our first attempt to use LambdaGuard. We tried all kinds of authentication profiles and tricks from above post and then gave up.
Hi all, the changes proposed by @nwestfall have been added. Please reset and reopen if the issue persists.
Thanks!
I've reviewed #27 but it appears that I'm having the same issue.
Here are my steps to reproduce.
First, I'm using Docker version 19.03.8 on macOS:
I started the following container:
Changed to the home folder:
Installed pip3:
Installed lambdaguard:
In my case, I'm using JumpCloud as the IdP to my AWS account so I'm using a tool called SAML2AWS:
Here is what the configuration looks like (small typo with the profile name):
Now I login to the IdP to configure my
.aws/credentials
file:Here we can confirm that the credentials are stored:
When I run lambdaguard it seems to work:
However, when I view the
lambdaguard.log
I get:So I tried again but this time by creating an AWS IAM user with an Access and Secret Key:
I'm getting the same error in the logs:
I thought maybe the problem was that I didn't have the AWS CLI installed so I tried that:
However, the results are the same.
Perhaps I'm missing something simple?
Note that for the first assume role profile my IAM policy is full administrator and for the second IAM user with Access Key and Secret, the IAM policy was the AWS managed
ReadOnlyAccess
IAM policy.