AirIAM icon indicating copy to clipboard operation
AirIAM copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

airiam recommend_groups error KeyError: 'airflow'

Open ali0818 opened this issue 3 years ago • 3 comments

running airiam recommend_groups, in MAC gives this error

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials Reusing local data INFO:root:Analyzing data for account 051349106950 INFO:root:Using the default UserOrganizer Traceback (most recent call last): File "/usr/local/bin/airiam", line 5, in <module> run() File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/main.py", line 36, in run report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report)) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies']) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters if PolicyAnalyzer.policy_is_write_access(policy_document): File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 56, in policy_is_write_access action_map[action_service]['privileges'])) KeyError: 'airflow'

ali0818 avatar Oct 14 '21 15:10 ali0818

Hey @ali0818 !

I'm guessing the action_map we have does not have that service yet. It gets updated on another cadence. We can protect from this crash by safely accessing the action_map here: https://github.com/bridgecrewio/AirIAM/blob/ec349e833c6b8c2af04cf8a7b494abc9a4f6d026/airiam/find_unused/PolicyAnalyzer.py#L55

We need to check if the action_service is in the action_map. If it's not - just return a None inside the filter.

We're open to contributions on this!

nimrodkor avatar Oct 14 '21 17:10 nimrodkor

Do you have an ETA on this issue? I'm having the same

ops-hummus avatar Nov 10 '21 23:11 ops-hummus

Hey @ops-hummus @ali0818 !

It seems airflow was added to the updating action list manage by our dependency, policy_sentry. You can see it here - https://raw.githubusercontent.com/salesforce/policy_sentry/master/policy_sentry/shared/data/iam-definition.json

Can you validate if this was solved?

nimrodkor avatar Jan 19 '22 16:01 nimrodkor