Using a IAM role, a custom profile or instance profile instead of passing AWS access and secret key

[kyrylo-hulak]

Hello Tech,

As the first, I wanted to thank you for a such great tool! I wanted to ask if you ever thought about enhancing and passing to AWS provider rather a specific profile or IAM role instead of the AWS keys. The last option is inconvenient as it demands additional maintenance of those access keys e.g.its rotation.

I have tried to pass through -e variable, like AWS_PROFILE as well as mount local ~/.aws/ to punksecurity/dnsreaper container. But it didn't work out. It returns error

docker run --rm -it -v ~/.aws/:/root/.aws:ro -e AWS_PROFILE="profile_name" punksecurity/dnsreaper aws

Error:
botocore.exceptions.ProfileNotFound: The config profile (profile_name) could not be found

Am I doing something wrong? I would appreciate your assistance on that. Thank you very much!

[imnotbrandon]

Hi,

If you don't provide keys then credentials are sourced according to the docs here, so AWS_PROFILE and any other AWS environment variable should be respected: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials

Are you trying to run dnsReaper on an EC2 instance with an IAM role attached? If so, it looks like you'll need to increase the hop limit to allow the docker container to fetch credentials from the metadata endpoint: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html#modify-PUT-response-hop-limit

[imnotbrandon]

That's strange, the command you sent looks fine.

Could you try mounting the .aws directory to somewhere else e.g. /aws and set AWS_CONFIG_FILE and/or AWS_SHARED_CREDENTIALS_FILE environment variables?

I can't think of anything else right now, if that doesn't work I'll need to take a deeper look.

[kyrylo-hulak]

Hi @imnotbrandon,

If you don't provide keys then credentials are sourced according to the docs here, so AWS_PROFILE and any other AWS environment variable should be respected: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials

yeap, it is mentioned in the README. So, that's why I decided to try it first locally. As you saw from above I have tried to pass a directory that contains AWS credentials and config files. However, it's errored and saying that can't find a profile.

Are you trying to run dnsReaper on an EC2 instance with an IAM role attached? I would like to run it on Fargate service and attach IAM role there to query Route53. But I wanted to see it worked out locally.

Not sure, why the container doesn't see configuration files then. Thank you!

[imnotbrandon]

Hi,

I've just tested it locally and it's working as expected for me.

➜  ~ docker run --rm -it -v ~/.aws/:/root/.aws:ro -e AWS_PROFILE="punksecurity" punksecurity/dnsreaper aws
          ____              __   _____                      _ __       
         / __ \__  ______  / /__/ ___/___  _______  _______(_) /___  __
        / /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
       / ____/ /_/ / / / / ,<  ___/ /  __/ /__/ /_/ / /  / / /_/ /_/ / 
      /_/    \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/  /_/\__/\__, /  
                                             PRESENTS         /____/  
                              DNS Reaper ☠️

             Scan all your DNS records for subdomain takeovers!

Using IAM identity: arn:aws:sts::REDACTED:assumed-role/AWSReservedSSO_AWSAdministratorAccess_2440f09507fe4bd6/REDACTED
Got 4 records from aws
Testing with 61 signatures

We found 2 takeovers ☠️
-- DOMAIN 'vulnerable.punksecurity.io' :: SIGNATURE '_generic_cname_found_but_unregistered' :: CONFIDENCE 'CONFIRMED'
CNAME: saafedfewfewfew.com
-- DOMAIN 'vulnerable.punksecurity.io' :: SIGNATURE '_generic_cname_found_doesnt_resolve' :: CONFIDENCE 'POTENTIAL'
CNAME: saafedfewfewfew.com

⏱️  We completed in 3.56 seconds
...Thats all folks!

I think that the wrong profile name is being used or there's an issue with your .aws/config or .aws/credentials files.

[kyrylo-hulak]

Hi @imnotbrandon!

I am sorry for the delayed answer! I appreciate your replies! I think that's probably due to the sense that I have been running docker via minikube to overcome restrictions. However, minikube has its own nuances to mount volumes. It should be done through minikube mount (https://minikube.sigs.k8s.io/docs/handbook/mount/) I wasn't able to use that yet because of lack of time. Though, once I have tested it out I will publish my findings. Thank you!