search

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
5.9k stars 800 forks source link

Unable to collect data when assuming role #844

Open serialp opened 3 years ago

serialp commented 3 years ago

I am running cloudmapper on docker and i got this issue:

aws sts assume-role --role-arn "arn:aws:iam::XXXXXXXXX:role/read-user" --role-session-name random_name

export AWS_ACCESS_KEY_ID=XXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXX
export AWS_SESSION_TOKEN=XXXXXXX
export AWS_PROFILE=XXXXX

export $(aws-vault exec read-user --no-session -- env | grep ^AWS | xargs) && docker run -ti -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -p 8000:8000 cloudmapper /bin/bash

python cloudmapper.py configure add-account --config-file config.json --name my_aws_user_account --id XXXXXXXXX

python cloudmapper.py collect --profile xxxxx --config config.json --account my_aws_user_account

Getting region names Traceback (most recent call last): File "cloudmapper.py", line 72, in main() File "cloudmapper.py", line 66, in main commands[command].run(arguments) File "/opt/cloudmapper/commands/collect.py", line 604, in run collect(args) File "/opt/cloudmapper/commands/collect.py", line 278, in collect region_list = ec2.describe_regions() File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.

Since, I don't have any right on my_aws_user_account I am assuming role to perform this task. AM I doing everything right ?

Thank you for your help !

w0rmr1d3r commented 3 years ago

Hello @serialp ! I believe we might need to know which policies that role has, because it might be lacking the DescribeRegions permissions in order to complete the task.

If you can find any way to add those permissions, it'd be just fine.

Any comments on this @0xdabbad00 ?

0xdabbad00 commented 3 years ago

Something is wrong with their privileges. @serialp You could modify the collect.yaml to move the request for sts get-caller-identity to the top of the file so that will be called first and you can debug that you are working from the correct IAM role that you thought you were.

serialp commented 3 years ago

Thanks a lot guys, @w0rmr1d3r the role has ReadOnlyAccess Policies (+ Security and Audit policies required for cloudmapper). But for now I just created a specific user with the required policies to run the report which run fine.

@0xdabbad00 Thanks will try it. Do you guys have any suggestion on how to export the Diagram in png or others than json format ? (didn't yet find a tool that could better represent a diagram with more several vpcs and subnets in a single region)