Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Organizations integration fails after scanning the first member account #34

Closed
acdha opened this issue Mar 21, 2022 · 2 comments
Closed

AWS Organizations integration fails after scanning the first member account #34

acdha opened this issue Mar 21, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@acdha
Copy link

acdha commented Mar 21, 2022

Describe the bug

When run using org mode, the first member account will be scanned. All of the other accounts will fail.

Expected behavior

It should scan all of the member accounts

Current behavior

Warning: Failed to assume role into Member Account …, skipping ...

If you remove the 2>/dev/null which discards the error output from the aws sts assume-role command you'll see this additional detail:

Unable to locate credentials. You can configure credentials by running "aws configure".

Possible solution

Reviewing the code from #2, I believe the problem is related to the way assume_role() overwrites its current credentials with the assumed role credentials, which allows that account to be scanned but then causes all subsequent accounts to fail since you'd need to call sts:AssumeRole using the original credentials.

pcs-sizing-scripts/aws/resource-count-aws.sh

Lines 266 to 279 in 73fbe9a

SESSION_JSON=$(aws_sts_assume_role "${ACCOUNT_ASSUME_ROLE_ARN}")
if [ $? -ne 0 ] || [ -z "${SESSION_JSON}" ]; then
ASSUME_ROLE_ERROR="true"
echo " Warning: Failed to assume role into Member Account ${ACCOUNT_NAME} (${ACCOUNT_ID}), skipping ..."
else
# Export environment variables used to connect to this member account.
AWS_ACCESS_KEY_ID=$(echo "${SESSION_JSON}" | jq .Credentials.AccessKeyId 2>/dev/null | sed -e 's/^"//' -e 's/"$//')
AWS_SECRET_ACCESS_KEY=$(echo "${SESSION_JSON}" | jq .Credentials.SecretAccessKey 2>/dev/null | sed -e 's/^"//' -e 's/"$//')
AWS_SESSION_TOKEN=$(echo "${SESSION_JSON}" | jq .Credentials.SessionToken 2>/dev/null | sed -e 's/^"//' -e 's/"$//')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN
fi
fi

Steps to reproduce

  1. Run resource-count-aws.sh org with credentials in the Organization master account for an IAM user which has permission to assume the OrganizationAccountAccessRole in each member account.
@acdha acdha added the bug Something isn't working label Mar 21, 2022
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@tkishel tkishel mentioned this issue Aug 9, 2022
Merged
4 tasks
@tkishel
Copy link
Contributor

tkishel commented Aug 9, 2022

Could you test the above PR?

@tkishel tkishel closed this as completed Aug 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acdha @tkishel