Closed gene1wood closed 6 years ago
https://github.com/mozilla/security/blob/master/operations/ipquery/ipquery/__init__.py
Instead of failing and throwing an exception, this should gracefully report the failing account and continue scanning the remaining accounts.
Example error
[Tue Sep 08 22:47:08.784802 2015] [:error] [pid 17214] ERROR:boto:403 Forbidden [Tue Sep 08 22:47:08.784925 2015] [:error] [pid 17214] ERROR:boto:<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> [Tue Sep 08 22:47:08.784933 2015] [:error] [pid 17214] <Error> [Tue Sep 08 22:47:08.784936 2015] [:error] [pid 17214] <Type>Sender</Type> [Tue Sep 08 22:47:08.784938 2015] [:error] [pid 17214] <Code>AccessDenied</Code> [Tue Sep 08 22:47:08.784940 2015] [:error] [pid 17214] <Message>User arn:aws:sts::123456789012:assumed-role/OpSecTrustedAuditor/i-3ddc99ca is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::234567890121:role/opsec-security-audit-role-OpSecSecurityAuditRole-ABCDEFGHIJKL</Message> [Tue Sep 08 22:47:08.784956 2015] [:error] [pid 17214] </Error> [Tue Sep 08 22:47:08.784958 2015] [:error] [pid 17214] <RequestId>8931b3f5-567b-11e5-b280-a1cef84524b0</RequestId> [Tue Sep 08 22:47:08.784960 2015] [:error] [pid 17214] </ErrorResponse> [Tue Sep 08 22:47:08.784961 2015] [:error] [pid 17214] [Tue Sep 08 22:47:08.785349 2015] [:error] [pid 17214] ERROR:root:Unable to assume role arn:aws:iam::234567890121:role/opsec-security-audit-role-OpSecSecurityAuditRole-ABCDEFGHIJKL due to exception BotoServerError: 403 Forbidden [Tue Sep 08 22:47:08.785356 2015] [:error] [pid 17214] <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> [Tue Sep 08 22:47:08.785358 2015] [:error] [pid 17214] <Error> [Tue Sep 08 22:47:08.785359 2015] [:error] [pid 17214] <Type>Sender</Type> [Tue Sep 08 22:47:08.785361 2015] [:error] [pid 17214] <Code>AccessDenied</Code> [Tue Sep 08 22:47:08.785363 2015] [:error] [pid 17214] <Message>User arn:aws:sts::123456789012:assumed-role/OpSecTrustedAuditor/i-3ddc99ca is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::234567890121:role/opsec-security-audit-role-OpSecSecurityAuditRole-ABCDEFGHIJKL</Message> [Tue Sep 08 22:47:08.785365 2015] [:error] [pid 17214] </Error> [Tue Sep 08 22:47:08.785367 2015] [:error] [pid 17214] <RequestId>8931b3f5-567b-11e5-b280-a1cef84524b0</RequestId> [Tue Sep 08 22:47:08.785368 2015] [:error] [pid 17214] </ErrorResponse> [Tue Sep 08 22:47:08.785370 2015] [:error] [pid 17214] [Tue Sep 08 22:47:08.788592 2015] [:error] [pid 17214] ERROR:ipquery:Exception on / [POST] [Tue Sep 08 22:47:08.788602 2015] [:error] [pid 17214] Traceback (most recent call last): [Tue Sep 08 22:47:08.788604 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1817, in wsgi_app [Tue Sep 08 22:47:08.788606 2015] [:error] [pid 17214] response = self.full_dispatch_request() [Tue Sep 08 22:47:08.788608 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1477, in full_dispatch_request [Tue Sep 08 22:47:08.788610 2015] [:error] [pid 17214] rv = self.handle_user_exception(e) [Tue Sep 08 22:47:08.788612 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1381, in handle_user_exception [Tue Sep 08 22:47:08.788613 2015] [:error] [pid 17214] reraise(exc_type, exc_value, tb) [Tue Sep 08 22:47:08.788615 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request [Tue Sep 08 22:47:08.788616 2015] [:error] [pid 17214] rv = self.dispatch_request() [Tue Sep 08 22:47:08.788618 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request [Tue Sep 08 22:47:08.788619 2015] [:error] [pid 17214] return self.view_functions[rule.endpoint](**req.view_args) [Tue Sep 08 22:47:08.788621 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask_login.py", line 758, in decorated_view [Tue Sep 08 22:47:08.788622 2015] [:error] [pid 17214] return func(*args, **kwargs) [Tue Sep 08 22:47:08.788624 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/ipquery/__init__.py", line 233, in main_page [Tue Sep 08 22:47:08.788625 2015] [:error] [pid 17214] instance = search_for_instance(form.ip.data) [Tue Sep 08 22:47:08.788627 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/ipquery/__init__.py", line 220, in search_for_instance [Tue Sep 08 22:47:08.788629 2015] [:error] [pid 17214] all_instances = get_instances(role, region) [Tue Sep 08 22:47:08.788630 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask_cache/__init__.py", line 537, in decorated_function [Tue Sep 08 22:47:08.788637 2015] [:error] [pid 17214] rv = f(*args, **kwargs) [Tue Sep 08 22:47:08.788639 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/ipquery/__init__.py", line 182, in get_instances [Tue Sep 08 22:47:08.788641 2015] [:error] [pid 17214] app.config['ip2instance_policy']) [Tue Sep 08 22:47:08.788642 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/flask_cache/__init__.py", line 537, in decorated_function [Tue Sep 08 22:47:08.788644 2015] [:error] [pid 17214] rv = f(*args, **kwargs) [Tue Sep 08 22:47:08.788645 2015] [:error] [pid 17214] File "/opt/ipquery/virtualenv/lib/python2.7/site-packages/ipquery/__init__.py", line 209, in get_assumed_role [Tue Sep 08 22:47:08.788647 2015] [:error] [pid 17214] credentials = result['credentials'].credentials [Tue Sep 08 22:47:08.788648 2015] [:error] [pid 17214] TypeError: 'bool' object has no attribute '__getitem__'
We've deprecated ipquery in favor of cloudhealth
https://github.com/mozilla/security/blob/master/operations/ipquery/ipquery/__init__.py
Instead of failing and throwing an exception, this should gracefully report the failing account and continue scanning the remaining accounts.
Example error