search

bridgecrewio / AirIAM

Least privilege AWS IAM Terraformer
https://airiam.io
Apache License 2.0
774 stars 78 forks source link

Just fails on credentials = next( without explanation #54

Closed ivanboykoatitv closed 3 years ago

ivanboykoatitv commented 3 years ago

First I was very excited about AirIAM, but then it just stopped working, without any changes from my side. I wonder if there is any Verbose or Debug mode to give more diagnostics output? Otherwise it's just not clear why it fails like this:

»  aws-vault exec .... -- airiam find_unused

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.48 

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in environment variables.
Getting all IAM configurations for account 655028521085
Getting IAM credential report
Generated reports for all principals
Received usage results for all principals
Collecting password configurations for all IAM users in the account
Completed data collection, writing to local file...
Traceback (most recent call last):
  File "/Users/ivan/.asdf/installs/python/3.8.5/bin/airiam", line 5, in <module>
    run()
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused
    unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials
    credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration
nimrodkor commented 3 years ago

Thanks for reporting @ivanboykoatitv !

I think there's a sync issue between AWS's credential report and the GetUsers API. I'll add a try-catch to handle it nicely, tnx!

nimrodkor commented 3 years ago

Duplicates #51