cyberark-aws-auto-onboarding icon indicating copy to clipboard operation
cyberark-aws-auto-onboarding copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Elasticity Lambda fails to onboard Windows EC2 instances on a secondary AWS account.

Open jcosteatcyberark opened this issue 4 years ago • 0 comments

Summary

Windows instances created on a second AWS account (using execution/assume roles) fails to be onboarded. The function instance_processing::get_instance_password_data is unable to use the assume role provided because of a typo error.

The key in acct_b['Credentials'] should be SessionToken, not session_token : https://github.com/cyberark/cyberark-aws-auto-onboarding/blob/674908ca4304f9ead5451fec078fbc93189a3910/src/shared_libraries/instance_processing.py#L57

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create a Windows EC2 instance on account B
  2. Wait for the instance to be running
  3. Check the ElasticityLambda logs on CloudWatch on account A

Expected Results

The Administrator account of the EC2 instance appears in the PVWA.

Actual Results (including error logs, if applicable)

You should see the following error in the Elasticity Lambda's logs:

[ERROR] {<class 'KeyError'>}
[ERROR] Error on getting token from account XXXXXXXXXXXX : 'session_token'

Reproducible

  • [x] Always
  • [ ] Sometimes
  • [ ] Non-Reproducible

Version/Tag number

cyberark/cyberark-aws-auto-onboarding:master

Environment setup

  • Elasticity Lambda in an AWS account A.
  • Windows EC2 instance created in an AWS account B.

jcosteatcyberark avatar Jan 12 '21 17:01 jcosteatcyberark