cloudgraph-provider-aws icon indicating copy to clipboard operation
cloudgraph-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon cloudgraphdev

Allow passing a roleArn and externalId when using ENV

Open rbclark opened this issue 1 year ago • 5 comments

Changes/solution

I currently have a situation where I am using AWS built in metadata to scan across multiple environments. In this situation I need to assume a cross account role in order to scan the account. This small change allows this to happen.

Testing

I ran this locally both with and without the role assigned and received different results.

Dependencies

N/A

rbclark avatar Sep 25 '23 18:09 rbclark

Thanks for the PR! Can you open this against our alpha branch so it can go through our release process?

tyler-dunkel avatar Sep 25 '23 20:09 tyler-dunkel

@m-pizarro please take a look at this one as well.

tyler-dunkel avatar Oct 17 '23 20:10 tyler-dunkel

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

tyler-dunkel avatar Nov 10 '23 15:11 tyler-dunkel

@rbclark sorry we took so long to take a look at this. I think this is ok to merge after the conflicts are resolved if you still need this functionality.

@tyler-dunkel I just had the chance to test it. It works well for me.

m-pizarro avatar Nov 10 '23 20:11 m-pizarro

@tyler-dunkel I've gone ahead and rebased this so it should be ready to go.

It turns out my use case ended up being slightly more complicated so I have a patched version that I am running. The issue I ran into is that my scanner runs on ECS instead of EC2. In order to fetch the credentials I need I've had to do the following. If you don't have objections I could go ahead and put up a PR to support this use case as well?

const metadataCredentials = new AWS.ECSCredentials();

metadataCredentials.get(async (err: any) => {
  if (err) {
    this.logger.error('Failed to retrieve credentials from container metadata.');
    this.logger.debug(err);
    return rejectConfig(err);
  }

  const baseCredentials = {
    accessKeyId: metadataCredentials.accessKeyId,
    secretAccessKey: metadataCredentials.secretAccessKey,
    sessionToken: metadataCredentials.sessionToken,
  };

  const sts = new AWS.STS({ credentials: baseCredentials });
  const assumeRoleOptions = {
    RoleSessionName: 'CloudGraph',
    RoleArn: role,
    ...(externalId && { ExternalId: externalId }),
  };

  sts.assumeRole(assumeRoleOptions, (err, data) => {
    if (err) {
      this.logger.error(`Failed to assume role using ARN: ${role}`);
      this.logger.debug(err);
      return rejectConfig(err);
    }

rbclark avatar Nov 27 '23 18:11 rbclark