Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assumed role not used for pricing actions #160

Open
vytautaskubilius opened this issue Dec 17, 2020 · 1 comment
Open

Assumed role not used for pricing actions #160

vytautaskubilius opened this issue Dec 17, 2020 · 1 comment
Labels
kind/bug Something isn't working

Comments

@vytautaskubilius
Copy link

What happened:
When the Finala Docker container is configured to assume a cross-account IAM role, the role is only assumed for reading the resources (i.e. the ReadOnlyAccess policy), but not the pricing:* actions (i.e. the AWSPriceListServiceFullAccess policy).

What you expected to happen:
The assumed role is used for all actions.

How to reproduce it (as minimally and precisely as possible):

  1. Have two AWS accounts (I'll call them local and remote, where local has Finala deployed, and remote is the account Finala scans).
  2. On the local account create an IAM role allow-assume-role that has just a single permission for the sts:AssumeRole action (with * as Resource to keep it simple).
  3. On the remote account create a cross-account IAM role finala-cross-account which trusts the local account, and attach the ReadOnlyAccess and AWSPriceListServiceFullAccess policies to it.
  4. Generate temporary credentials using the allow-assume-role role - aws sts assume-role --role-arn "arn:aws:iam::111111111111:role/allow-assume-role" --role-session-name "test-assume".
  5. Add the temporary credentials to docker-compose.yaml:
  collector:
      <truncated>
      environment:
        - AWS_ACCESS_KEY_ID=access_key_id_here
        - AWS_SECRET_ACCESS_KEY=secret_key_here
        - AWS_SESSION_TOKEN=session_token_here
  1. Add the finala-cross-account role to configuration/collector.yaml:
providers:
  aws:
    accounts:
        <truncated>
        role: arn:aws:iam::222222222222:role/finala-cross-account
  1. Start Finala with docker-compose up.
  2. You will see in the logs that the collector starts as expected, and no errors are produced when analyzing the resources:
collector_1      | time="2020-12-17T10:49:54Z" level=warning msg="setting logging level" fields.level=info
collector_1      | time="2020-12-17T10:49:54Z" level=info msg="generate collector execution id" id=general_1608202194
collector_1      | time="2020-12-17T10:49:54Z" level=info msg="auth: using aws role" region=
collector_1      | time="2020-12-17T10:49:54Z" level=info msg="auth: using aws role" region=us-east-1
collector_1      | time="2020-12-17T10:49:54Z" level=info msg="auth: using aws role" region=us-east-1
collector_1      | time="2020-12-17T10:49:55Z" level=info msg="starting to analyze resource" region=us-east-1 resource=documentDB
collector_1      | time="2020-12-17T10:49:57Z" level=info msg="starting to analyze resource" region=us-east-1 resource=ec2_volume
collector_1      | time="2020-12-17T10:49:59Z" level=info msg="analyzing resource" region=us-east-1 resource=kinesis
collector_1      | time="2020-12-17T10:50:01Z" level=info msg="Amount of streams" streams_count=0

However, errors similar to the one below can be seen when it tries to perform any pricing action:

collector_1      | time="2020-12-17T10:50:02Z" level=error msg="could not describe pricing product" error="AccessDeniedException: User: <redacted> is not authorized to perform: pricing:GetProducts\n\tstatus code: 400, request id: e3b83592-f6c8-4a71-a287-a72830d399a7" search_query="{\n  Filters: [{\n      Field: \"productFamily\",\n      Type: \"TERM_MATCH\",\n      Value: \"Kinesis Streams\"\n    },{\n      Field: \"group\",\n      Type: \"TERM_MATCH\",\n      Value: \"Provisioned shard hour\"\n    },{\n      Field: \"location\",\n      Type: \"TERM_MATCH\",\n      Value: \"US East (N. Virginia)\"\n    }],\n  ServiceCode: \"AmazonKinesis\"\n}"
collector_1      | time="2020-12-17T10:50:02Z" level=error msg="Could not get shard price" error="AccessDeniedException: User: <redacted> is not authorized to perform: pricing:GetProducts\n\tstatus code: 400, request id: e3b83592-f6c8-4a71-a287-a72830d399a7"

Anything else we need to know?:
The errors can be avoided if the AWSPriceListServiceFullAccess policy is attached to the allow-assume-role role instead of the finala-cross-account role. I first discovered this issue when deploying Finala using the Helm chart into an EKS cluster that runs in one of our AWS accounts, and needs to scan a number of other ("remote") accounts.

Environment:

  • Finala version: v0.4.0
  • Cloud provider or hardware configuration: AWS EKS in production, Docker 20.10.0 in local reproduction.
  • OS (e.g: cat /etc/os-release):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.9.6
PRETTY_NAME="Alpine Linux v3.9"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
  • Kernel (e.g. uname -a): Linux 1d47d5c68b49 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 Linux
  • Install tools: docker-compose, Helm chart
  • Network plugin and version (if this is a network-related bug): N/A
  • Others: N/A
@vytautaskubilius vytautaskubilius added the kind/bug Something isn't working label Dec 17, 2020
@cregev
Copy link
Contributor

cregev commented Dec 17, 2020

@vytautaskubilius thank you for adding this issue , @kaplanelad and I will take a look at this ... and let you know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cregev @vytautaskubilius