search

aws-samples / aws-iam-access-key-auto-rotation

This set of CloudFormation templates and Python scripts will set up an auto-rotation function that will automatically rotate your AWS IAM User Access Keys every 90 days.
MIT No Attribution
134 stars 128 forks source link

Different concepts from Runbook #23

Open duartegabriel opened 1 year ago

duartegabriel commented 1 year ago

As mentioned in #21, the documentation has a lot of different points from what is exactly been implanted. Would be fine if someone of the team can take a look again to it.

I cant deploy the first step, I keep receving messages when I try to create the stacks at my organizations accounts:

ResourceLogicalId:ASAIAMAssumedRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Invalid principal in policy: "AWS":"arn:aws:iam::978768682946:role/asa-iam-key-rotation-lambda-execution-role" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 0dec4956-d5f9-4839-93ce-7d1da67cdd04; Proxy: null).

At the documentation I can't find any other step before this.

phab-cpr commented 1 year ago

I'm suffering the same problem. Did you find a solution/workaround for this?

Pheels commented 1 year ago

This issue occurs because asa-iam-key-rotation-lambda-execution-role has not yet been created at the time in which you deploy this stack. It is a fundamental flaw in the runbook.

To fix, you can edit the principal arn to something generic like:

  ASAIAMAssumedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref IAMRoleName
      Description: !Sub "IAM Assume Role used by ${PrimaryAccountID}'s ASA-IAM-Access-Key-Rotation-Function Lambda. This role is used to inspect and rotate IAM Keys that are violating the company's key rotation policy."
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
              - !Sub arn:${AWS::Partition}:iam::${PrimaryAccountID}:root
          Action: sts:AssumeRole

This will allow you to progress for the time being. Please note however that you will need to revert this back to the above role once all 3 stacks have been deployed:

  ASAIAMAssumedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref IAMRoleName
      Description: !Sub "IAM Assume Role used by ${PrimaryAccountID}'s ASA-IAM-Access-Key-Rotation-Function Lambda. This role is used to inspect and rotate IAM Keys that are violating the company's key rotation policy."
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
              - !Sub arn:${AWS::Partition}:iam::${PrimaryAccountID}:role/${ExecutionRoleName}
          Action: sts:AssumeRole

If you do continue with this, you will also run into a permissions issue further down the line. See my comment here for how to resolve.