-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(organizations): request Organization Info after assume_role occurs #2682
fix(organizations): request Organization Info after assume_role occurs #2682
Conversation
…er into bug-organization-info
Good catch @jchrisfarris !! Thank you for this fix 🚀 |
I can't reproduce it, @sergargar could you check it? |
Yes, I'm on it |
@sergargar This is how I'm calling it prowler aws -M csv json json-asff html -b -z -S \
--excluded-services route53 cloudwatch \
-e $EXCLUDE_CHECKS \
-f $REGIONS \
--log-file prowler-logs-${ACCOUNT_ID}-${TODAY}.log \
-F prowler-${ACCOUNT_ID}-${TODAY} --log-level ERROR \
-R arn:aws:iam::$ACCOUNT_ID:role/$ROLENAME \
-O arn:aws:iam::$PAYER_ID:role/$ROLENAME \
-D ${OUTPUT_BUCKET} -o prowler-output |
I could reproduce it, now Prowler correctly retrieves the organizations info from the -R account and not from the original one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔝 🔝 🔝
Context
Fix issue where the use of -R and -O leads to the wrong information being populated in the
OrganizationsInfo
data.Description
When called with -R
current_audit_info.audited_account
is not set until after the audited_account's assume role credentials are fetched and validated. Moving this block of code means Prowler will fetch the right info from the Organizational Management Account.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.