Invalid Group Name

[jfrazee216]

I am receiving an error when running pmapper against 1 of our AWS account. I can run the AWS CLI command for List Group Policies and am able to list all of the groups also. I am also able to use pmapper in another aws account.

I do not see any noticable group names that do not follow the criteria

Obtaining IAM users in account Obtaining IAM roles in account Obtaining EC2 instance profiles in account Obtaining Access Keys data for IAM users Obtaining IAM groups in the account. Connecting IAM users to their groups. Obtaining policies used by all IAM users and roles Obtaining policies used by IAM groups Traceback (most recent call last): File "/usr/local/bin/pmapper", line 8, in <module> sys.exit(main()) File "/usr/local/lib/python3.8/site-packages/principalmapper/__main__.py", line 187, in main return handle_graph(parsed_args) File "/usr/local/lib/python3.8/site-packages/principalmapper/__main__.py", line 207, in handle_graph graph = principalmapper.graphing.graph_actions.create_new_graph(session, checker_map.keys(), parsed_args.debug) File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/graph_actions.py", line 35, in create_new_graph return gathering.create_graph(session, service_list, sys.stdout, debug) File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 54, in create_graph policies_result = get_policies_and_fill_out(iamclient, nodes_result, groups_result, output, debug) File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 248, in get_policies_and_fill_out inline_policies = iamclient.list_group_policies(GroupName=group_name) File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 337, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 656, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the ListGroupPolicies operation: The specified value for groupName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

[ncc-erik-steringer]

Well this makes no sense to me.

The offending line is: inline_policies = iamclient.list_group_policies(GroupName=group_name)

The variable group_name is taken by splitting the ARN of the group by forward-slashes (/), and taking the last element (which should be the name of the group, even if its under a path). So since it's built by calling IAM and extracting the name, I don't know how that wouldn't be okay to feed back into another call to IAM. I'm either completely missing something, or there's a bug in botocore.

Mind checking your version of botocore? Maybe throw in an update and retry?

[jfrazee216]

Thanks for the quick response.

My botocore version was botocore-1.17.52

I just did a fresh install via pip3 and now have boto3-1.14.53 botocore-1.17.53 s3transfer-0.3.3

unfortunately, I receive the same error though

[ncc-erik-steringer]

Ah. Unfortunately I probably won't have a quick solution for you. Let me dig into it more and I'll try to get back to you this week.

[jfrazee216]

If it helps this would be an example group arn from this AWS account.

arn:aws:iam::111222211121212:group/Cloudwatch-Monitoring

I also have been using the following command

pmapper --profile default graph --create

[jfrazee216]

no worries. I appreciate your help

[jfrazee216]

This is also using the following python version

❯ python --version Python 3.8.5

[ncc-erik-steringer]

Sorry for being off by an order of magnitude about the response time.

If you're willing to use the bleeding edge, try the v1.1.0-dev branch in the meantime. Someone else I've worked with had success with that.

[ncc-erik-steringer]

Closing this since we're moving to v1.1.0 soon which fixes this issue.