search

ezra-buckingham / terry-the-terraformer

A CLI for deploying red team infrastructure across mutliple cloud providers, all integrated with a virtual Nebula network, and full ELK integration
https://github.com/ezra-buckingham/terry-the-terraformer/wiki
MIT License
110 stars 15 forks source link

Issues Authenticating to AWS registry #44

Closed 5stars217 closed 1 year ago

5stars217 commented 1 year ago

Hi,

Thank you for creating this project, I am enjoying it so far. I am having some difficulty configuring terry to login to my private AWS ECR. I had things working with public docker beforehand.

My repository URI is

repositoryUri": "123456.dkr.ecr.us-west-2.amazonaws.com/

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456.dkr.ecr.us-west-2.amazonaws.com results in a successful login in local testing, and i've pushed containers with this method.

my config.yml looks as such: (harcoding in the file while i troubleshooot) 

  container_registry_username: AWS 
  container_registry_password: <AKIAR...>~<j...1>
  container_registry_strategy: aws # If using AWS ECR, specify "aws"

output from terry on run: 

TASK [Authenticate to the container registry] **********************************
skipping: [54.148.58.116]
included: /opt/terry-the-terraformer/playbooks/core/login-to-container-registry.yml for 35.92.206.208

TASK [Prepare the container registry URL for parsing] **************************
skipping: [35.92.206.208]

TASK [Extract the AWS Account ID and Region from ExtractCR URL] **********************
skipping: [35.92.206.208]

TASK [Authenticate to the container registry (aws strategy)] *******************
skipping: [35.92.206.208]

TASK [Authenticate to the container registry (default strategy)] ***************
fatal: [35.92.206.208]: FAILED! => {"changed": false, "msg": "Logging into https://123456.dkr.ecr.us-west-2.amazonaws.com for user AWS failed - 500 Server Error for http+docker://localhost/v1.41/auth: Internal Server Error (\"login attempt to https://123456.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request\")"}

I see that it's a 400 bad request, and probably an issue with my config.yml - but I can't figure out what syntax it's looking for, if I've done something wrong.

I"ll make a PR to improve the config-example.yml once I know what I'm doing wrong.

5stars217 commented 1 year ago

Hi!

I noticed some code changes a few hours ago related to AWS Authentication, I tested what is here, by pulling the new version of the code and reconfiguring my config.yml files.

Where 34.215.117.212 is the address of the teamserver that a container image is being requested (cobaltstrike, using the container mappings example.yml updated with the appropriate image location).

skipping: [35.89.8.160]
included: /opt/new-terry-the-terraformer/terry-the-terraformer/playbooks/core/login-to-container-registry.yml for 34.215.117.212

TASK [Install the AWS CLI] *****************************************************
skipping: [34.215.117.212]

TASK [Prepare the container registry URL for parsing] **************************
skipping: [34.215.117.212]

TASK [Extract the AWS Account ID and Region from ECR URL] **********************
skipping: [34.215.117.212]

TASK [Authenticate to the container registry (aws strategy)] *******************
skipping: [34.215.117.212]

TASK [Authenticate to the container registry (default strategy)] ***************
fatal: [34.215.117.212]: FAILED! => {"changed": false, "msg": "Logging into 123456dkr.ecr.us-west-2.amazonaws.com for user AKIA.... failed - 500 Server Error for http+docker://localhost/v1.41/auth: Internal Server Error (\"login attempt to https://123456.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 401 Unauthorized\")"}

My config.yml looks like this for AWS", which matches your new, updated descriptions: - thank you for those.

Something is still not right, but I am unable to troubleshoot why the login steps are skipped for a host where it is required. 

 container_registry: 123456.dkr.ecr.us-west-2.amazonaws.com
  container_registry_username: AKIA....
  container_registry_password: blah....
  container_registry_strategy: aws # If using AWS ECR, specify "aws"
ezra-buckingham commented 1 year ago

Hey! Totally missed the first issue, but I am still in development of support for AWS ECR. I have found a few bugs that still need working out

ezra-buckingham commented 1 year ago

It looks like the bug you are seeing is exactly the bug I need to fix. Terry will not cascade the value in the config that you have set as aws to the runtime. I will look into this tonight unless you want to make a PR

ezra-buckingham commented 1 year ago

Fixed https://github.com/ezra-buckingham/terry-the-terraformer/commit/53a3b05b501a3998f91ba91cb5b668ea1aaf988c