ScoutSuite icon indicating copy to clipboard operation
ScoutSuite copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

Unable to scan accounts in China and Gov Cloud regions due to incorrect region during STS authentication

Open ah-jota opened this issue 1 year ago • 6 comments

Describe the bug

I am unable to run scans against accounts in either the China region or Gov Cloud region. It appears that botocore client is not aware of when I am using the -r flag to specify regions to scan to also use the proper sts endpoint for authentication. I have confirmed that the AWS credential is valid. I get the following error:

ERROR __main__.py L184: Authentication failure: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

Full debug error:

Traceback (most recent call last):
  File "/root/scoutsuite/lib/python3.9/site-packages/ScoutSuite/providers/aws/authentication_strategy.py", line 50, in authenticate
    get_caller_identity(session)
  File "/root/scoutsuite/lib/python3.9/site-packages/ScoutSuite/providers/aws/utils.py", line 10, in get_caller_identity
    identity = sts_client.get_caller_identity()
  File "/root/scoutsuite/lib/python3.9/site-packages/botocore/client.py", line 530, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/root/scoutsuite/lib/python3.9/site-packages/botocore/client.py", line 960, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/scoutsuite/lib/python3.9/site-packages/ScoutSuite/__main__.py", line 184, in _run
    credentials = auth_strategy.authenticate(profile=profile,
  File "/root/scoutsuite/lib/python3.9/site-packages/ScoutSuite/providers/aws/authentication_strategy.py", line 60, in authenticate
    raise AuthenticationException(e)
ScoutSuite.providers.base.authentication_strategy.AuthenticationException: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

Command Used scout aws -f --profile $AWS_PROFILE --no-browser -r cn-north-1 cn-northwest-1 --debug

ah-jota avatar May 12 '23 14:05 ah-jota

Looks like this functionality has been removed for some reason? https://github.com/nccgroup/ScoutSuite/commit/d064666f329319fb3d7abd8ce77d9bc13730db32#diff-e6dc934fb9ee5288b8b8d9cbea54281b3ce7b4a73a53943d85e85ffb9c27b01f

ah-jota avatar May 12 '23 14:05 ah-jota

You can get around this by setting the AWS_DEFAULT_REGION environment variable.

ah-jota avatar May 15 '23 16:05 ah-jota

@ah-jota - Was your issue resolved? Don't close the issue we need to investigate.

liyun-li avatar May 16 '23 14:05 liyun-li

Hey @liyun-li ! Nope not considered solved. Just found a clever work around for now. I still think this should be resolved.

ah-jota avatar May 16 '23 14:05 ah-jota

@ah-jota , is this the solution you take? https://github.com/nccgroup/ScoutSuite/wiki/Amazon-Web-Services#aws-credentials-file

Users requiring authentication against the STS of the China region can accomplish this by adding a new profile as follows:

[profile profile1] region = cn-north-1

michyweb avatar Jun 28 '23 15:06 michyweb

Yes that is the workaround I used. I’m okay with it since it works reliably.

ah-jota avatar Jul 08 '23 03:07 ah-jota