steampipe-plugin-aws icon indicating copy to clipboard operation
steampipe-plugin-aws copied to clipboard

Published 20 hours ago verified publisher icon turbot

aws_account_contact table doesn't properly AssumeRole

Open jchrisfarris opened this issue 1 year ago • 0 comments

Describe the bug A clear and concise description of what the bug is.

When running this query against a connection configured to use a RoleArn

[ec2-user@ip-10-64-10-116 ~]$ ./steampipe query
Welcome to Steampipe v0.16.4
For more information, type .help
> select
  full_name,
  company_name,
  city,
  phone_number,
  postal_code,
  state_or_region,
  website_url
from
  aws_linuxshowcase.aws_account_contact;
Error: operation error Account: GetContactInformation, exceeded maximum number of attempts, 9, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, exceeded maximum number of attempts, 9, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.Account.amazonaws.com/": dial tcp: lookup sts.Account.amazonaws.com on 10.64.0.2:53: no such host (SQLSTATE HV000)

Time: 2,518.5s.

It appears the service Account has been substituted where a region us-east-1 would be expected in the endpoint sts.Account.amazonaws.com

Steampipe version (steampipe -v) steampipe version 0.16.4

Plugin version (steampipe plugin list) hub.steampipe.io/plugins/turbot/aws@latest | 0.79.1

To reproduce

See Query above. Config files:

SPC:

connection "aws_linuxshowcase" {
  plugin  = "aws"
  profile = "linuxshowcase"
  regions = ["*"]
    options "connection" {
        cache     = true # true, false
        cache_ttl = 3600  # expiration (TTL) in seconds
    }
}

~/.aws/config/:

# linuxshowcase
[profile linuxshowcase]
role_arn = arn:aws:iam::<redacted>:role/pht-audit
credential_source = Ec2InstanceMetadata
role_session_name = steampipe

Expected behavior

The STS call should be going to sts.us-east-1.amazonaws.com and not sts.Account.amazonaws.com

Additional context

AWS CLI Command Works:

[ec2-user@ip-10-64-10-116 ~]$ aws account get-contact-information --profile linuxshowcase
{
    "ContactInformation": {
        "AddressLine1": "<redacted>",
        "City": "<redacted>",
        "CompanyName": "<redacted>",
        "CountryCode": "US",
        "FullName": "linuxshowcase",
        "PhoneNumber": ".<redacted>",
        "PostalCode": "<redacted>",
        "StateOrRegion": "GA"
    }
}

jchrisfarris avatar Oct 18 '22 18:10 jchrisfarris