search

aws-samples / amazon-guardduty-multiaccount-scripts

This script automates the process of running the GuardDuty multi-account workflow across a group of accounts that are in your control
Apache License 2.0
130 stars 71 forks source link

Most recent version of botocore/boto3 is not compatible with this code #38

Closed lowpast closed 4 years ago

lowpast commented 4 years ago

Most recent versions of botocore (1.12.253) & boto3 (1.12.9) causes this script to fail.

Enabling members in all available GuardDuty regions ['ap-east-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'me-south-1', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] Assumed session for ---------. Failed to list detectors in Master account for region: {} due to an authentication error. Either your credentials are not correctly configured or the region is an OptIn region that is not enabled on the master account. Skipping {} and attempting to continue Traceback (most recent call last): File "enableguardduty.py", line 187, in detector_dict = list_detectors(gd_client, aws_region) File "enableguardduty.py", line 110, in list_detectors detector_dict = client.list_detectors() File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the ListDetectors operation: The security token included in the request is invalid

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "enableguardduty.py", line 214, in print("Failed to list detectors in Master account for region: {} due to an authentication error. Either your credentials are not correctly configured or the region is an OptIn region that is not enabled on the master account. Skipping {} and attempting to continue").format(aws_region, aws_region) AttributeError: 'NoneType' object has no attribute 'format'

I was able to get this working by downgrading my packages -

pip install boto3==1.9.86 pip install botocore==1.12.88

I think this is due to the script attempting to enable ap-east-1 (HongKong), an opt-in only region. I do not (and will not) have this region enabled.

asantos-fuze commented 4 years ago

@lowpast I've fixed this here: https://github.com/asantos-fuze/amazon-guardduty-multiaccount-scripts I've the PR https://github.com/aws-samples/amazon-guardduty-multiaccount-scripts/pull/33 waiting to be merged

mr26 commented 4 years ago

@asantos-fuze hey asantos, I'm still getting the error that lowpast posted above. I believe it's the same issue, although I haven't attempted to downgrade my botocore/boto3 packages.

asantos-fuze commented 4 years ago

@mr26 I'm running boto3==1.9.253 and it's good

mr26 commented 4 years ago

@asantos-fuze thanks for the prompt reply. I'm currently running version '1.10.50'. I was able to get it working when passing the appropriate regions through the command line, but when running the script outright I get the same error lowcast has posted above.

mr26 commented 4 years ago

@asantos-fuze it turns out the error was in the print statement evoked when handling the error.

print("Failed to list detectors in Master account for region: {} due to an authentication error. Either your credentials are not correctly configured or the region is an OptIn region that is not enabled on the master account. Skipping {} and attempting to continue").format(aws_region, aws_region)

Had a parentheses before the format method was used. Changed it to the following and the script works with no issues now.

print("Failed to list detectors in Master account for region: {} due to an authentication error. Either your credentials are not correctly configured or the region is an OptIn region that is not enabled on the master account. Skipping {} and attempting to continue".format(aws_region, aws_region))

mr26 commented 4 years ago

thank you for your work btw, this script is incredibly useful and helpful for our current project.

ryanholland commented 4 years ago

Thanks for letting us know about the print.format error, I just pushed an update to fix that.

mr26 commented 4 years ago

@ryanholland @asantos-fuze Thanks guys. I also updated the disableguardduty program to basically incorporate the same error handling you guys implemented in the enableguardduty program, preventing the script from crashing when iterating over a disabled region.

I've made a pull request with the changes for you guys to look over and approve/deny based upon your discretion. Thanks again.