Request-IAMCredentialReport -Credential $creds does not refresh IAM Credential Reports

[faleon]

Describe the bug

When assuming a role in a remote account with appropiate permissions executing Request-IAMCredentialReport -Credential $creds does nothing.

Where:
$creds = (Use-STSRole -RoleArn 'arn:aws:iam::123456789123:role/myrole' -RoleSessionName 'role-session').Credentials

Expected Behavior

When executing Request-IAMCredentialReport -Credential $creds, a new IAM Credential Report should be available in the remote account if no report exists or the report is older than 4 hours.

Current Behavior

Request-IAMCredentialReport -Credential $creds returns a success response when it actually never sends a request to AWS.

Reproduction Steps

Execute the following interactively or via a script:

$account = '123456789123'
$roleName = 'myrole'
$role = "arn:aws:iam::$($account):role/$($roleName)"
$creds = (Use-STSRole -RoleArn $role -RoleSessionName "$($account)-IAMCredentialReport-bug").Credentials
Request-IAMCredentialReport -Credential $creds

Write-Host "Login to the AWS console for $($account) and check to see if a new IAM Credential Report was generated, or check the status using another AWS SDK."

Possible Solution

Update the -Credential function for Request-IAMCredentialReport.

Additional Information/Context

Making the same GenerateCredentialReport AWS API call by using an assumed role via other tools work.

AWS Tools for PowerShell version used

AWS.Tools.IdentityManagement.4.1.217

PowerShell version used

7.2 (LTS-current)

Operating System and version

CentOS 7.9.2009

[ashishdhingra]

Hi @faleon,

Good morning.

Thanks for reporting the issue. If you refer the documentation for Request-IAMCredentialReport, it states that:

• Calls the AWS Identity and Access Management GenerateCredentialReport API operation.
• The example also mentions that the CmdLet requests generation of a new report, which can be done every four hours. If the last report is still recent the State field reads COMPLETE. Use Get-IAMCredentialReport to view the completed report.

The documentation Getting credential reports for your AWS account mentions the following permissions are needed to create and download reports:

• To create a credential report: iam:GenerateCredentialReport
• To download the report: iam:GetCredentialReport

Given the output of Request-IAMCredentialReport command, looks like the report was already requested in the specified account within last 4 hrs since it returned the status as COMPLETE.

Could you please verify the following:

• You mentioned that making the same GenerateCredentialReport AWS API call by using an assumed role via other tools work. What tools or SDK are you using? If using SDK, could you share the sample code?
• Does your role has permissions iam:GenerateCredentialReport (I'm assuming it has this permission based on your CmdLet output) and iam:GetCredentialReport (for downloading the report)?
• Assuming that the role that you are using has proper permissions to download the report, have you tried using Get-IAMCredentialReport CmdLet with the same set of credentials as you used for Request-IAMCredentialReport? If yes, what is the output? The Request-IAMCredentialReport CmdLet just requests the report, whereas Get-IAMCredentialReport should return the report (refer documentation for Get-IAMCredentialReport for details and example).

Thanks,
Ashish

[faleon]

@ashishdhingra

You mentioned that making the same GenerateCredentialReport AWS API call by using an assumed role via other tools work. What tools or SDK are you using? If using SDK, could you share the sample code?

AWS SDK for Python. https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html
I'm not at my dev station to share Boto3 sample code, but doing the Reproduction Steps in boto3 is simple enough to figure out.

Does your role has permissions iam:GenerateCredentialReport (I'm assuming it has this permission based on your CmdLet output) and iam:GetCredentialReport (for downloading the report)?

Yes, the role has the necessary permissions including iam:*. I'll reiterate again that the GenerateCredentialReport AWS API works when called by other AWS tools/SDKS using the same assumed role - i.e. Boto3, AWS CLI, etc. AWS Tools for PowerShell's Request-IAMCredentialReport -Credential $creds command does not work as expected, hence the bug report.

Assuming that the role that you are using has proper permissions to download the report, have you tried using Get-IAMCredentialReport CmdLet with the same set of credentials as you used for Request-IAMCredentialReport? If yes, what is the output? The Request-IAMCredentialReport CmdLet just requests the report, whereas Get-IAMCredentialReport should return the report (refer documentation for Get-IAMCredentialReport for details and example).

Get-IAMCredentialReport works as expected. This bug report is for Request-IAMCredentialReport -Credential

[faleon]

Here is example working Boto3 code to accomplish what Request-IAMCredentialReport -Credential $creds cannot since it's broken:

#!/usr/local/bin/python3.9
import boto3
from boto3.session import Session
from botocore.exceptions import ClientError as ClientError


def start_session(account_id, region=None):
    role_arn = "arn:aws:iam::{}:role/myrole"
    if region:
        sts_client = boto3.client("sts", region_name=region, endpoint_url="https://sts."+region+".amazonaws.com")
    else:
        sts_client = boto3.client("sts")
    try:
        assumed_role = sts_client.assume_role(
            RoleArn=role_arn.format(account_id),
            RoleSessionName="IAMCredentialReport-Boto3"
        )
    except sts_client.exceptions.ClientError as e:
        return
    session = Session(aws_access_key_id=assumed_role['Credentials']['AccessKeyId'],
                      aws_secret_access_key=assumed_role['Credentials']['SecretAccessKey'],
                      aws_session_token=assumed_role['Credentials']['SessionToken'])
    return session


def main():
    boto3.setup_default_session(profile_name='myprofile')
    session = start_session(account_id)
    iam_client = session.client("iam")
    response = iam_client.generate_credential_report()
    return


if __name__ == "__main__":
    main()

[ashishdhingra]

Get-IAMCredentialReport works as expected. This bug report is for Request-IAMCredentialReport -Credential

@faleon This doesn't appear to be bug with Request-IAMCredentialReport CmdLet. The CmdLet simply calls GenerateCredentialReport which triggers generation of credential report for the AWS account. You are able to use Get-IAMCredentialReport successfully to get the reports, which clearly indicates the flow is working correctly. The -Credential parameter is common to all the CmdLets, not just Request-IAMCredentialReport, and represents AWSCredentials object instance containing access and secret key information, and optionally a token for session-based credentials.

Looking at your code, it is just invoking generation of report, not getting the report. For the Boto3 sample code, please refer https://github.com/aws-samples/aws-iam-credential-report/blob/main/python/iam-credential-report-code.py. The sample invokes iamClient.generate_credential_report() in a loop and once report generation is complete, it invokes iamClient.get_credential_report() to get the report.

For testing purposes, I created a role name testiamcredentialsreport with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GetCredentialReport"
            ],
            "Resource": "*"
        }
    ]
}

Then I invoked the the following commands in succession:

$account = '<<account-id>>'
$roleName = 'testiamcredentialsreport'
$role = "arn:aws:iam::$($account):role/$($roleName)"
$creds = (Use-STSRole -RoleArn $role -RoleSessionName "$($account)-IAMCredentialReport-bug").Credentials

Request-IAMCredentialReport -Credential $creds

Write-Host "Login to the AWS console for $($account) and check to see if a new IAM Credential Report was generated, or check the status using another AWS SDK."

I executed Request-IAMCredentialReport -Credential $creds until the state was not completed. Then logged it to my AWS Console and was able to download the report (it doesn't list the report, just mentions that the report was generates x minuted before).

I'm unsure why you are unable to see the report in AWS console (as per your screenshot) given that you are able to use Get-IAMCredentialReport successfully and I was able to test it successfully. Are you looking in the correct AWS account?

Thanks,
Ashish

[faleon]

We're going to use Python for our workflows instead. Thanks for the help.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.