$PROFILE_OPT empty when working with assumed roles

[DB-Vincent]

Hi,

I'm trying to get Prowler working with assumed roles when executing the ./prowler -c checkXX -M html -p awsProfileWithSwitchRole -r region -A targetAccountId -R AssumedRole from my local machine. The issue is that I get 'Unable to locate credentials. You can configure credentials by running "aws configure".' and 'parse error: Invalid numeric literal at line 2, column 7' error messages.

From what we've found so far we can say the following things:

• The 'Unable to locate credentials. You can configure credentials by running "aws configure".' errors are not handled in include/assume_role
• The 'assume_role()'-function gets executed multiple times. The first time it gets executed correctly, but the executions after that execute it with the '$PROFILE_OPT' variable empty.
• With the provided hotfix (https://gist.github.com/toniblyx/f93e68c58e766be3be09a861d19ec718), no errors are shown, but the checks are executed on the 'awsProfileWithSwitchRole'-account and not on the 'targetAccountId'-account (as it should).

[toniblyx]

Thanks for reporting this issue and discuss it over Discord as well @DB-Vincent.

[halfluke]

I'm having the same issue and I found out that the latest version that works with assume_role seems to be prowler-2.3.0-18122020.
I did a diff on the two include/assume_role files: they are a bit different but I think something else is involved (credentials_report file for sure) and I was not able to fix the latest version

[toniblyx]

Thanks @halfluke that is a very helpful finding. I'll give it a look and see what is going on but please feel free to add here possible fixes if you find them.

[DB-Vincent]

I can confirm, prowler-2.3.0-18122020 works on my machine.

[toniblyx]

@halfluke as per @DB-Vincent finding, can you test it by making this change in prowler file? line 136, from this:

     p )
        PROFILE=$OPTARG
        ;;

to this:

     p )
        PROFILE=$OPTARG
        AWS_PROFILE=$OPTARG
        ;;

Not sure if this is the best way to solve the issue, however I have to diff 2.3 and latest to see what changes added this bug.

[toniblyx]

my gut feeling says that could be when I added the feature of renewing temporary credentials...

[DB-Vincent]

I feel obligated to mention that this is just a work around and that this probably isn't best practice. But it's a start!

[halfluke]

it doesn't seem to work either... I spent some hours trying to troubleshoot but no luck tbh
with change in line 136 + gist hotfix for assume_role file:
Date: Thu Nov 25 06:59:02 AM EST 2021
Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation
with change in line 136 only:
Date: Thu Nov 25 06:53:01 AM EST 2021
parse error: Invalid numeric literal at line 2, column 7
parse error: Invalid numeric literal at line 2, column 7
parse error: Invalid numeric literal at line 2, column 7
parse error: Invalid numeric literal at line 2, column 7
Generating AWS IAM Credential Report... - []
WARNING! Generate credential report unsuccessful

A csv file is generated with the correct account name but it has only one line...

[toniblyx]

Ok, I have tested this diff in my environment and it is working fine for this command ./prowler -g cislevel1 -M html -p 12345678912_AWSAdministratorAccess -r us-east-1 -A 11111111111 -R ProwlerExecRole

diff --git a/include/assume_role b/include/assume_role
index 95bd3e0..7445e51 100644
--- a/include/assume_role
+++ b/include/assume_role
@@ -58,6 +58,10 @@ assume_role(){
       textFail "The requested DurationSeconds exceeds the MaxSessionDuration set for the role ${PROWLER_ROLE}"
       EXITCODE=1
       exit $EXITCODE
+    elif [[ "$(grep ExpiredToken $TEMP_STS_ASSUMED_FILE)" ]]; then
+      textFail "ExpiredToken error with role: ${PROWLER_ROLE} and AWS Profile settings: $PROFILE_OPT"
+      EXITCODE=1
+      exit $EXITCODE
     fi

     # assume role command
@@ -76,8 +80,10 @@ assume_role(){
     fi

     # The profile shouldn't be used for CLI
-    PROFILE=""
-    PROFILE_OPT=""
+    if [[ $PROFILE == 'default' ]]; then
+        PROFILE=""
+        PROFILE_OPT=""
+    fi

Could you guys test it? Don't change anything in prowler file code.

[halfluke]

sorry but... what do I change in assume_role?

[toniblyx]

grab it from here, it is easier :) https://gist.github.com/toniblyx/8d4e5e2420b2185332ab35af067f8470

[halfluke]

Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation
and if I comment out get_regions in the main prowler file:
Generating AWS IAM Credential Report... - []
WARNING! Access Denied trying to generate credential report

the regions error is handled differently in Prowler 2.3.0.xxxx: I still get it but the script proceeds

I bet the real problem is the second one: the newest versions try to generate credentials report for the CALLER account, not for the "assumed role" account. I think you don't notice that because you have permissions on the caller account as well... but I don't in my environment

[toniblyx]

are you replacing that file in the latest release from master branch? Can you share the exact command you are running. when running aws sts get-caller-identity that principal can assume the role properly and that assumed role has enough permissions? It sounds more like a permissions issue. Deploy this template in the target account and it will help you to make sure that prowler has the right permissions https://github.com/toniblyx/prowler/blob/master/iam/create_role_to_assume_cfn.yaml

[toniblyx]

can you share what permission do you have in the source account? I'll try to replicate