search

widdix / aws-ec2-ssh

Manage AWS EC2 SSH access with IAM
https://cloudonaut.io/manage-aws-ec2-ssh-access-with-iam/
MIT License
828 stars 289 forks source link

Error with using the ASSUMROLE configuration. #130

Closed cornevandersteen closed 6 years ago

cornevandersteen commented 6 years ago

Metadata:

When using the ASSUMROLE function with TAG ENABLED groups then there is a fault in reading the instance tags.

The problem is in the: import_users.sh file.

On Line 237 you are going to set the aws_credentials.

# setup the aws credentials if needed
setup_aws_credentials

And from line 248 you are going to read the instance tags.

# init group and sudoers from tags
get_iam_groups_from_tag
get_sudoers_groups_from_tag

But when you are using the assumerole functionality, the aws_credentials function is going to use the STSROLE. After that moment the describe instance tag cli command is executed in the assumerole (IAM) account. There is not the instance running and can't find the tags.

What i did to solve this problem is: Add a IAM policy to the instance which has access to describe the tags and assume role.

Then i deleted the setup_aws_credentials on line 237 & 238. I put them under line 251. Just after the tags are readed, then the setup_aws_credentials is executed which is going to STS-Assume-Role to my IAM account.

michaelwittig commented 6 years ago

merged. Thanks @cornevandersteen