Open shotty1 opened 2 years ago
JoshuaWilkes
commented
2 years ago Hey @shotty1
Does the external_id play a part in your cross account trust policy?
Granted does not currently use external_id so this may well be your issue. This is the guide I looked at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
I imagine if we added this into our requests that your use-case would work
JoshuaWilkes
commented
2 years ago @shotty1 If you have time, you can try building granted from source on this branch and re-testing your usecase https://github.com/common-fate/granted/pull/187
Otherwise we can test when we get a chance
shotty1
commented
2 years ago Hey, yes the external Id plays a role. Will try to test later and get back to you.
shotty1
commented
2 years ago works like a charm. Thanks a lot! I only has to set the region in the target-account profile. For some reason that was not inherited from the sso-login-account
conzy
commented
1 month ago I seem to be experiencing the exact same issue
assume access_development
[✘] operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: b1160995-3ce7-4322-89ae-9f732d9ca82c, api error AccessDenied: User: arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_AdministratorAccess_074bdc061f60212b/foo.bar@acme.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::22222222222:role/access_development
Config:
[profile jump]
granted_sso_start_url = `https://acme.awsapps.com/start#/`
granted_sso_region = eu-west-1
granted_sso_account_id = 111111111111
granted_sso_role_name = AdministratorAccess
common_fate_generated_from = aws-sso
credential_process = granted credential-process --profile jump
[profile access_development]
source_profile=jump
role_arn=arn:aws:iam::22222222222:role/access_development
external_id=5a5b6f4b
duration_seconds=1800granted --version
Granted version: 0.32.0Trust relationship on target role is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "5a5b6f4b"
}
}
}
]
}When I remove the Condition from the trust relationship it works fine. Similarly assuming the intermediate "jump" role here and using the aws cli to assume the role works:
aws sts assume-role --role-arn arn:aws:iam::22222222222:role/access_development --role-session-name test --external-id 5a5b6f4b
chrnorm
commented
1 month ago Thanks @conzy, I’ve reopened this issue. I think the most likely cause is that Granted is not respecting the external_id config property on the profile
I am currently trying to replace awsu.me with granted.dev for me and my team but am hitting one major roadblock. In my scenario I need to log in to an account with AWS SSO, and then assume a role in another account.
We got this running by combining awsu.me with ben Kehoes aws-sso-util (see config below)
But when trying to achieve the same thing with granted.dev I get the following error (tried with the -ex parameter too)
Looging into the sso-login-account works without problems
Config parts:
granted version: 0.2.2