fugue / credstash

A little utility for managing credentials in the cloud
Apache License 2.0
2.06k stars 214 forks source link

Cross account assumed role references wrong table #227

Open atharvai opened 5 years ago

atharvai commented 5 years ago

I'm using assumed role and passing the keys to credstash along with session token. All this in Python (not CLI). However I'm unable to query the dynamoDB table correctly.

Code:

import boto3
import credstash

sts_client = boto3.client('sts')
_assumed_role = sts_client.assume_role(
        RoleArn="arn:aws:iam::ACCOUNT_A:role/CredstashRole",
        RoleSessionName="AssumeRoleSession1"
)
credstash.getSecret(property_name, version or '',
                                                     region='us-east-1',
                                                     table='credential-store,
                                                     aws_access_key_id=_assumed_role['Credentials']['AccessKeyId'],
                                                     aws_secret_access_key=_assumed_role['Credentials']['SecretAccessKey'],
                                                     aws_session_token=_assumed_role['Credentials']['SessionToken']
                                                     )

Error:

User: arn:aws:sts::ACCOUNT_B:assumed-role/CrossAccountCredstashRole not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1:ACCOUNT_B:table/credential-store

It appears credstash is trying to query ACCOUNT_B table when it actually exists in ACCOUNT_A. If I specify table= I get validation error:

An error occurred (ValidationException) when calling the Scan operation: 1 validation error detected: Value 'arn:aws:dynamodb:us-east-1:ACCOUNT_A:table/credential-store' at 'tableName' failed to satisfy constraint: Member must satisfy regular expression pattern: [a-zA-Z0-9_.-]+

ref: https://github.com/fugue/credstash/wiki/Setting-up-cross-account-access

any way to resolve this?