pacu iam__backdoor_assume_role overwrites IAM boto client object when user arn is not specified

iam__backdoor_assume_role overwrites IAM boto client object when user arn is not specified

Open ishmandoo opened this issue 3 years ago • 1 comments

It looks like this line is looking for an IAM boto client object. However, client gets overwritten with an STS boto client on line 80 if a user arn is not specified.

https://github.com/RhinoSecurityLabs/pacu/blob/e95b3ff2898b4954fe61411b314414b33e1f5750/pacu/modules/iam__backdoor_assume_role/main.py#L105

The result is an error like this: <class 'AttributeError'>: 'STS' object has no attribute 'update_assume_role_policy'

Sep 08 '21 17:09 ishmandoo

I just put up a PR proposing a fix: #304

Sep 11 '21 14:09 ishmandoo

Looks like this was merged and fixed

Apr 20 '23 16:04 DaveYesland

pacu pacu copied to clipboard

iam__backdoor_assume_role overwrites IAM boto client object when user arn is not specified

pacu
pacu copied to clipboard