nccgroup / opinel

Python code shared by Scout2 and AWS-Recipes
GNU General Public License v2.0
24 stars 18 forks source link

Support for duration in assume_role function #31

Open benghaun opened 6 years ago

benghaun commented 6 years ago

assume_role function found in opinel/utils/credentials.py does not support DurationSeconds parameter, unlike the init_sts_session parameter. This creates some issues when using Scout2 to scan large AWS accounts, as the default duration for the credentials using assume_role is only 1 hour, which may not be sufficient for scanning of a large AWS account. Suggest that assume_role should, like init_sts_session, take in a parameter for duration with a large default value.

x4v13r64 commented 6 years ago

Thanks for bringing this up, I'll look into it. Can you provide a rough estimate for the number of resources in the account for it to take more then an hour? Scout2 has been run on quite large accounts and it usually doesn't take over 15-20 minutes.

Also you can set it to 5 threads to go a bit faster.

benghaun commented 6 years ago

It can take more than an hour if there are over 10,000 resources, especially when it comes to EBS volume snapshots.

Additionally, while attempting to fix another issue, I came across another problem when it comes to scans that take a long time - when fetching credentials via read_cred, cached credentials are used if available, but this could be problematic with longer scans, since credentials that could be expiring soon (say, in 5 minutes) would still be used, and would likely expire in the middle of a scan.

x4v13r64 commented 6 years ago

All right, thanks!

roman-vynar commented 6 years ago

Same here, can we add DurationSeconds to sts_client.assume_role(**sts_args) ?

Note sure if it's better to add an arg to assume_role() call or a field to the existing credentials dict?