search

duo-labs / cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
BSD 3-Clause "New" or "Revised" License
885 stars 110 forks source link

Role not found but it does exist #41

Closed poflynn closed 5 years ago

poflynn commented 5 years ago

For the life of me I can't figure out why this isn't working. Every other role (built the same way using terraform) works fine, just not this one. I'm not sure how to begin debugging this?

(PS Note I redacted some stuff in this log)

cloudtracker --account demo --role build-jenkins
INFO     Source of CloudTrail logs: s3://wd-697111119245-bucket/
INFO     Using AWS identity: arn:aws:sts::697111119245:assumed-role/SSOAdminRole/botocore-session-1540918197
INFO     Using output bucket: s3://aws-athena-query-results-697111119245-us-west-2
INFO     Account cloudtrail log path: s3://wd-697111119245-bucket//AWSLogs/697111119245/CloudTrail
INFO     Checking if all partitions for the past 12 months exist
Traceback (most recent call last):
  File "/Users/paul.oflynn/workspace/venv/bin/cloudtracker", line 11, in <module>
    load_entry_point('cloudtracker==2.1.2', 'console_scripts', 'cloudtracker')()
  File "/Users/paul.oflynn/workspace/venv/lib/python3.7/site-packages/cloudtracker/cli.py", line 104, in main
    run(args, config, args.start, args.end)
  File "/Users/paul.oflynn/workspace/venv/lib/python3.7/site-packages/cloudtracker/__init__.py", line 481, in run
    role_iam = get_role_iam(rolename, account_iam)
  File "/Users/paul.oflynn/workspace/venv/lib/python3.7/site-packages/cloudtracker/__init__.py", line 219, in get_role_iam
    raise Exception("Unknown role named {}".format(rolename))
Exception: Unknown role named build-jenkins
(venv) cloud-tracker $ aws iam get-role --role-name build-jenkins
{
    "Role": {
        "Path": "/jenkins/",
        "RoleName": "build-jenkins",
        "RoleId": "AROAI2***********",
        "Arn": "arn:aws:iam::697111119245:role/jenkins/build-jenkins",
        "CreateDate": "2018-10-29T17:26:16Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::697111119245:role/nodes.*******.com",
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "MaxSessionDuration": 3600
    }
}
(venv) cloud-tracker $
0xdabbad00 commented 5 years ago

Make sure build-jenkins is in the IAM data you downloaded. You should have a file like account-data/youraccount.json The role needs to appear in that file.

poflynn commented 5 years ago

Ah, that was it, the role had been renamed since I first created the json file. I didn't realize the role data was in that file, thx